Criptografia Asimetrica PDF

Cryptography
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Cryptography
Digital Certificates
Hash constructions
Classic
Asymmetric
Crytography
Multiplicative Groups
DH & ElGamal
Elliptic Curves
Definition
Dr. Jose L. Muoz

Telematics Engineering
Universitat Politcnica de Catalunya (UPC)
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
Version: 11 2011-02-21 19:27:38Z
1/80
Cryptography
1 Cryptographic Tools
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
Symmetric-key cryptography
Public-key cryptography
Hash Functions
Key Distribution
Hash constructions
2 Classic Asymmetric Crytography
DH & ElGamal
3 Elliptic Curves
Definition
Multiplying Points
EC over Fp
4 ECC
Digital Signature
Key Exchange
Encryption Scheme
Outline
2/80
Cryptography
Symmetric-key cryptography I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Symmetric-key cryptography is sometimes also called
secret-key cryptography.
Symmetric-key encryption involves using a single key K
to encrypt and to decrypt data.

The sender and the recipient share the knowledge of a
secret key that is used to encrypt and decrypt the

messages exchanged between them.
Formally:
The message M is encrypted by applying the symmetric
algorithm S to M using the key K :

C = SK (M)
The secret message C is decrypted by applying the
inverse algorithm S 1 to the secret message C with the
key K :
M = SK1 (C)
Cha & Cheons IBS
3/80
Cryptography
Symmetric-key cryptography II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
DES [?] (Digital Encryption Standard) and its extended
version Triple-DES [?] (3DES) have been the most

popular symmetric-key systems during many years.
Recently, the AES [?] (Advanced Encryption Standard)
has been designated as the successor of DES.

Generally speaking, symmetric-key systems are
simpler and faster than the public-key ones.
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Their main drawback is that the two parties must
somehow exchange the symmetric key in a secure way,

this problem is relevant for large scenarios and it is is
known as the key distribution problem.
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
4/80
Cryptography
Asymmetric-key cryptography I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Public-key cryptography (PKC) is asymmetric.

It involves the use of two separate keys, in contrast to
the symmetric cryptography, which uses only one key.

One of these keys is public i.e., known by everybody.
The other key is private i.e., secret.
The public-key cryptography makes easier the key
distribution problem because the public key can be

distributed without keeping it secret, and the private key
is never transmitted.
Diffie and Hellman postulated the conditions that a
public-key system must fulfill [?]:
1
It is computationally easy for a party B to generate a

pair: (public key KUB , private key KRB ).
Boneth and
Franklins IBE
Cha & Cheons IBS
5/80
Cryptography
Asymmetric-key cryptography II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
It is computationally easy for a sender A, knowing the

public key and the message to be encrypted, M, to
generate the corresponding ciphertext
C = EKUB (M)
3 It is computationally easy for the receiver B to decrypt
the resulting cipher text using the private key to recover
the original message.
M = DKRB (C) = DKRB [EKUB (M)]
4 It is computationally infeasible for an opponent, knowing
the public key, KUB , to determinate the private key, KRB .
5 It is computationally infeasible for an opponent, knowing
the public key, KUB , and a ciphertext, C, to recover the
original message, M.
2
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
6/80
Cryptography
Asymmetric-key cryptography III

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
There are also public-key systems that meet another
interesting property: either of the two related keys can

be used for encryption, with the other used for
decryption:
M = DKRB [EKUB (M)] = DKUB [EKRB (M)]
Depending on the application, the sender uses either
the senders private key or the receivers public key, or

both, to perform some type of cryptographic function.
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
7/80
Cryptography
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Asymmetric-key cryptography
IV
Public-key systems are mainly used for the following
purposes:
Encryption The sender encrypts a message with the
recipients public key.
Digital signatures A digital signature emulates a real,
physical signature by generating a digital
proof that only the creator/ sender of a
message can make, but everyone can
identify as belonging to the creator. An
encryption under the private key of the
creator serves as a signature that only the
owner of the private key can create, but
everyone with the public key can verify.
The encryption (signature) can be applied
to the complete message or to a small
Cha & Cheons IBS
8/80
Cryptography
Asymmetric-key cryptography V
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
block of data that is a function of the

message.
Key exchange Two parties cooperate to exchange a
session key (symmetric key). Several
different approaches are possible,
involving the private key(s) of one or both
parties.
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Some public-key algorithms are suitable for all three
applications, whereas others can be used only for one

or two of these applications. The most famous
public-key algorithm is RSA [?] (Rivest Shamir
Adleman) which can be used for all three applications,
whereas DSS [?] (Digital Signature Standard) is widely
used but only can be used for signing and DH [?] (Diffie
Hellman) can be used only for key exchange.
Boneth and
Franklins IBE
Cha & Cheons IBS
9/80
Cryptography
Hash functions
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Used in informatics in efficient database searching

Post direction searching:
6th avenue, 329, New York
Efficient searching with a hash function:
Example:
Use of ASCII code for every letter: 6=54, t=116...
The sum of all letters in ASCII code is: 1785
Has moves between 0 and 999. For hash obtainment,
hash = 1785mod1000 = 785
Direction hash is 785
Search in database the 785th entry
There are collisions!
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
10/80
Cryptography
Cryptographic
Tools
One Way Hash Functions

(OWHF) I
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
In security, we use non-invertible hash funcions also
called One Way Hash Functions (OWHF).
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
A OWHF is a function that takes a variable length input
(pre-image), and computes a fixed-length output string

(which is usually smaller than the pre-image) called the
hash value, digest or check value.
Given the hash it is computationally infeasible to find a
message (pre-image) with that hash.

In fact, one cant determine any usable information
about a message with that hash, not even a single bit.

For some OWHFs it is also computationally impossible
to determine two messages which produce the same

hash.
Cha & Cheons IBS
11/80
Cryptography

(OWHF) II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
One important role of OWHFs in cryptography is in the
provision of digital signatures.

Since hash functions are generally much faster than
digital signature algorithms, it is typical to compute the

digital signature to some document by computing the
signature on the documents hash value, which is small
compared to the document itself.
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Additionally, a digest can be made public without
revealing the contents of the document from which it is

derived.
A hash function H must have the following properties:
1
2
H can be applied to a block of data of any size.

H produces a fixed-length output.
Boneth and
Franklins IBE
Cha & Cheons IBS
12/80
Cryptography

(OWHF) III
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
H(M) is relatively easy to compute for any given M,

making both hardware and software implementations
practical.
4 For any given digest m, it is computationally infeasible
to find M such that H(M) = m.
5 For any given the message M, it is computationally
infeasible to find another message M 0 6= M with
H(M 0 ) = H(M).
6 It is computationally infeasible to find any pair (M, M 0 )
such that H(M) = H(M 0 ).
3
Examples of well-known hash functions are MD5 [?]
and SHA-1 (Secure Hash Algorithm-1) [?].

Now, we also have SHA-256, SHA-512, etc.
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
13/80
Cryptography
Symmetric keys distribution I

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Alice
Key Distribution
KpuA
Bob
Trivial
approximation
KpuB
Hash constructions
Classic
Asymmetric
Crytography
Alice
C(KpuB,M1)
Bob
DH & ElGamal
Elliptic Curves
Definition
C(KpuA,M2)
Multiplying Points
EC over Fp
ECC
Digital Signature
spoofing attack
Alice
KpuA
Trudy
Key Exchange
Encryption Scheme
Identity-based
cryptography
KpuT <<KpuB>>
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
14/80
Cryptography
Symmetric keys distribution II

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Trivial solution: If there is
N users, there must be

established N 2 secret
shared keys.
N 2 is not scalable. How
to do this in a shared
network?
There must be trusted
intermediaries
trusted intermediaries
are known as Key

Distribution Center(KDC)
is symmetric
cryptography
N users N (N 1)
relations
Bilinear Pairings
Boneth and
Franklins IBE
Alice and Bob need a shared symmetric key
Cha & Cheons IBS
15/80
Cryptography
Symmetric keys distribution III

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
KDC shares a symmetric key with each registered
users
Alice and Bob know only their symmetric shared key
with KDC
If there are N users, there are N shared
keys(User-KDC)
DH & ElGamal
Elliptic Curves
KA-KDC
Definition
Multiplying Points
EC over Fp
KB-KDC
ECC
KDC
KX-KDC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
KA-KDC
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
16/80
Cryptography
Symmetric keys distribution IV

Cryptographic
Tools
How is shared key created?
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
The most simple protocol is next:
Hash constructions
DH & ElGamal
Elliptic Curves
KDC
K A-KDC(A,B)
Classic
Asymmetric
Crytography
Alice
KS generated
KA-KDC(Ks , KB-KDC(A, Ks) )
Definition
Bob
Multiplying Points
EC over Fp
ECC
KB-KDC(A,Ks)
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Alice y Bob can communicate each other using

KS as a symmetric key
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
17/80
Cryptography
Public key announcement I

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Attack Men in the-Middle
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
Alice
KpuA
KpuT <<KpuB>>
Trudy
KpuT <<KpuA>>
Bob
KpuB
DH & ElGamal
Elliptic Curves
Definition
C(KpuT,M1)
C(KpuB,M1)
C(KpuA,M2)
C(KpuT,M2)
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
M1=f (M1)
M2=f (M2)
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
18/80
Cryptography
Public key announcement II

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
If keys exchange is done with the trivial approximation
through a KDC, there are the same attacks that in a

one-to-one exchange.
Hash constructions
Classic
Asymmetric
Crytography
The attack is a more complex because a Bob and KDC
spoofing is needed.
It can be done by changing the DNS
DH & ElGamal
KDC
Elliptic Curves
Definition
Alice
Multiplying Points
EC over Fp
ECC
Bob
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
19/80
Cryptography
Public keys exchange with an

intermediary and digital
signatures
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
CA
Classic
Asymmetric
Crytography
In this case, the
intermediary is called
Certification
Authority(CA)
DH & ElGamal
Elliptic Curves
Req?Bob
Definition
Multiplying Points
The CA signs public keys
EC over Fp
Bob
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Alice
C(KprCA,{Bob,KpuB})
that validate with key

owner identity
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
20/80
Cryptography
Certificates I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
A certificate is a digital document that connects
cryptographically a identity w with a public key

This relation is done with a digital signature
Certificates are emitted by a third trusted party called
Certification Authority(CA)
We can automatically trust with CA certificated users
With certificates, Men in the middle attack is neutralized
in public keys distribution

The only key that we must to confirm is the CA public
key
Public CA key is distributed with an auto-signed
certificate:
CA demonstrates that it knows its private key. Public
key transport is done with a certificate (standard way)
Cha & Cheons IBS
21/80
Cryptography
Certificates II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
Auto-signed certificates are called root certificates, and
their CA is called root CA
CRLs
long/short-lived.
Attribute certificates!
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
22/80
Cryptography
Hash Chains
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
A hash chain results from applying d + 1 times a hash h

over a secret nonce R:
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
h R h R
h
h
h
h
R
d d1 Ri R1 R0
primaryValue (R) is the secret nonce (the beginning of the hash chain). R is
only known by the generator.
currentIndex (i) is the current index of the chain.
maximumIndex (d) is the length of the chain.
baseValue (R0 ) is the last value of the hash chain. This value is typically
authenticated by some method like a digital signature. R0 is
computed by applying (d + 1) times h over R:
R0 = hd+1 (R)
currentUpdateValue (Ri ) is computed by applying (d + 1 i) times h over R:
Ri = hd+1i (R)
Checking equation:
R0 = hi (Ri ) with i d
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
23/80
Cryptography
Examples: Hash Chains

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
One-time Passwords.
H-OCSP.
Novomodo.
Authentication of distance.
Definition
Multiplying Points
EC over Fp
TESLA.
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
24/80
Cryptography
Hash Trees I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
The MHT [?] relies on the properties of the OWHF (One

Way Hash Functions). It exploits the fact that an OWHF is at
least 10,000 times faster to compute than a digital
signature, so the majority of the cryptographic operations
performed in the revocation system are hash functions
instead of digital signatures.
N2,0
DH & ElGamal
H root = H 2,0 = h ( H1,0 | H1,1 )
Elliptic Curves
Definition
Multiplying Points
N1,0 H 1,0 = h ( H0,0 | H0,1 )
EC over Fp
N1,1 H 1,1 = h ( H0,2 | H0,3 )
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
N0,0
N0,1
H 0,0 = h ( c0 ) H 0,1 = h ( c1 )
N0,2
N0,3
H 0,2 = h ( c2 ) H 0,3 = h ( c3 )
Boneth and
Franklins IBE
Cha & Cheons IBS
25/80
Cryptography
Hash Trees II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
We denote by Ni,j the nodes within the MHT where i and j

represent respectively the i-th level and the j-th node. We
denote by Hi,j the cryptographic variable stored by node Ni,j .
Nodes at level 0 are called leaves and they represent the
data stored in the tree. In the case of revocation, leaves
represent the set of certificates that have been revoked,
= {c0 , c1 , . . . , cj , . . . , cn } .
(1)
where cj is the data stored by leaf N0,j . Then, H0,j is

computed as (2)
ECC
Digital Signature
Key Exchange
H0,j = h(cj ) .
(2)
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
where h is a OWHF.
To build the MHT, a set of t adjacent nodes at a given level i;
Ni,j , Ni,j+1 , . . . ,Ni,j+t1 , are combined into one node in the
Cha & Cheons IBS
26/80
Cryptography
Hash Trees III

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
upper level, which we denote by Ni+1,k . Then, Hi+1,k is

obtained by applying h to the concatenation of the t
cryptographic variables (3)
Key Distribution
Hi+1,k = h(Hi,j | Hi,j+1 | . . . | Hi,j+t1 ).
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
(3)
At the top level there is only one node called the root. Hroot
is a digest for all the data stored in the MHT.
The sample MHT of Figure ?? is a binary tree because
adjacent nodes are combined in pairs to form a node in the
next level (t = 2) and Hroot = H2,0 .
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Definition
The Digest is defined as
Digest = {DNRDI , Hroot , Validity Period}SIGRDI
Boneth and
Franklins IBE
Cha & Cheons IBS
27/80
Cryptography
Hash Trees IV
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Definition
The Pathcj is defined as the set of cryptographic values
necessary to compute Hroot from the leaf cj .
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Notice that the Digest is trusted data because it is signed by

the RDI and it is unique within the tree while Path is
different for each leaf.
If the MHT provides a response with the proper Pathcj and
the MHT Digest, an End Entity can verify whether cj .
Let us suppose that a certain user wants to find out whether
c1 belongs to the sample MHT of Figure ??. Then,
Pathc1 = {N0,0 , N1,1 }
Digest = {DNRDI , H2,0 , Validity Period}SIGRDI
The response verification consists in checking that H2,0
computed from the Pathc1 matches H2,0 included in the
Digest,
Cha & Cheons IBS
28/80
Cryptography
Hash Trees V
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
Hroot = H2,0 = h(h(h(c1 )|H0,0 )|H1,1 ) .
(4)
Notice that the MHT can be built by a TTP (RDI) and

distributed to a repository because a leaf cannot be added
or deleted to without modifying Hroot 1 which is included in
the Digest and as the Digest is signed, it cannot be forged
by a non-TTP.
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
1
To do such a thing, an attacker needs to find a pre-image of a OWHF
which is computationally infeasible by definition.
29/80
Cryptography
Examples: Hash Trees

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Certificate issuation.
Revocation.
P2P corruption.
2-3 tree, binary, or ranges (adjacency checking).
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
30/80
Cryptography
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
Hash Functions
Key Distribution
Hash constructions
DH & ElGamal
3 Elliptic Curves
Definition
Multiplying Points
EC over Fp
4 ECC
Digital Signature
Key Exchange
Encryption Scheme
Outline
31/80
Cryptography
Groups
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
A group G is an algebraic structure consisting of a set
of elements and an operation.

The operation combines two group elements to form a
third element of the group.

A group is cyclic if it can be generated by operating
with a single element g.

In this case, g is called a generator of the group.
< g > means the group or subgroup generated by g.
In a multiplicative group, the operation is written as a
multiplication.
Formally, G =< g >= {g n where n is an integer}.
We define the order of a group as its number of
elements.
Boneth and
Franklins IBE
Cha & Cheons IBS
32/80
Cryptography
Modular Multiplication
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Let us consider: a b m
od q .
For each value of b, we take a = 1, 2, ..q 1.
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
q
b
b
b
b
=6
= 2 : {2 4 0 2 4}
= 3 : {3 0 3 0 3}
= 4 : {4 2 0 4 2}
= 5 : {5 4 3 2 1}
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
q
b
b
b
b
b
=7
= 2 : {2 4 6 1 3 5}
= 3 : {3 6 2 5 1 4}
= 4 : {4 1 5 2 6 3}
= 5 : {5 3 1 6 4 2}
= 6 : {6 5 4 3 2 1}
Only the element 5

has inverse.
All the elements have

inverse.
In general, only the co-primes of q have inverse.
Two integers are co-primes if they have no common
positive factors other than 1.
Cha & Cheons IBS
33/80
Cryptography
Co-primes have Inverse

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Given two co-prime integers a, b, with b > a, we can
state that:
| a 1 mo
d b
I.e. a has an inverse modulo b: a1 = .
Proof:
lcm(a, b) = ab
Notice that if a 0 m
od b, then = b is the smallest
possible .
3 Now, if we take n 6= m and 0 m, n b, then:
ma 6 na m
od b
By contradiction. If ma na m
od b then,
a(m n) 0 m
od b
Thus, (m n) b, which contradicts statement 2.
4 Finally, by the pigeonhole principle, as all the terms
an m
od b are different values for 0 n < b one of
these terms must be 1.
1
2
Cha & Cheons IBS
34/80
Cryptography
Notation
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
We note Zq as the finite set of integers modulo q:
Zq = {0, 1, 2, ..., q 1}.

We note Zq as the set of invertible elements of Zq .
As mentioned, Zq is the set of integers (congruence
classes modulo n) k {1, .., n 1} with the property

that gcd(k , n) = 1.
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Examples: Z6 = {5} or Z12 = {1, 5, 7, 11}.

If q is prime, then: Zq = {1, 2, ..., q 1} (notice that 0
is not included).
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
35/80
Cryptography
Multiplicative Groups I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Lets repeat the multiplication of a number g Zq :
g i m
od q .
For example, lets use each value g Z11 :
g
g
g
g
g
g
g
g
g
= 2 : {2 4 8 5 10 9 7 3 6 1 }
= 3 : {3 9 5 4 1 3 9 5 4 1 }
= 4 : {4 5 9 3 1 4 5 9 3 1 }
= 5 : {5 3 4 9 1 5 3 4 9 1 }
= 6 : {6 3 7 9 10 5 8 4 2 1 }
= 7 : {7 5 2 3 10 4 6 9 8 1 }
= 8 : {8 9 6 4 10 3 2 5 7 1 }
= 9 : {9 4 3 5 1 9 4 3 5 1 }
= 10 : {10 1 10 1 10 1 10 1 10 1 }
g = 2, 6, 7, 8 generate all the elements of Z11 .

This is noted as {G =< 7 >= Z11 }
Cha & Cheons IBS
36/80
Cryptography
Multiplicative Groups II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
g = 3 : {3 9 5 4 1 3 9 5 4 1 }
g = 10 : {10 1 10 1 10 1 10 1 10 1 }
The order of a group is its number of elements.
Example: the order of <3 > is 5 and the order of <10 >
is 2.
We define the order of an element a as the smallest
positive integer k such that ak 1 m

od q.
This is noted as Oq (a) = k .
Example: O11 (3) = 5.
Modular Exponentiation is an easy operation, we
can use square-and-multiply.
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
37/80
Cryptography
The Discrete Logarithm (DL)

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
The reverse operation of modular exponentiation is
called the Discrete Logarithm (DL).

Given an element g in a finite group G and another
element h G, find an integer x such that g x = h.

The discrete logarithm problem is a difficult
problem.
Multiplying Points
EC over Fp
ECC
Digital Signature
This means that there is not any efficient algorithm to
solve this problem.
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
38/80
Cryptography
DiffieHellman key agreement I

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
The DiffieHellman (1976) is the first practical method
for establishing a shared secret over an unprotected

communications channel.
Uses modular exponentiation as easy problem and the
discrete logarithm as hard problem.

General description of the protocol:
Alice and Bob agree on a finite cyclic group G and a
generating element g G.
This is done before the rest of the protocol and g is
assumed to be known by all attackers.
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
39/80
Cryptography
DiffieHellman key agreement II

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
Alice picks a random natural number a and sends g a to
Bob.
Bob picks a random natural number b and sends g b to
Alice.
Alice computes (g b )a .
Bob computes (g a )b .
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Both Alice and Bob are now in possession of the group
element g ab .
The values of (g b )a and (g a )b are the same because
groups are power associative.

This serves as the shared secret key.
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
40/80
Cryptography
ElGamal
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Taher Elgamal, 1984.

It is a PKE (Public Key Encryption) algorithm.
Based on the DiffieHellman key exchange.
ElGamal encryption can be defined over any cyclic
group G.
Its security depends upon the difficulty of a DL problem
in G.
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
41/80
Cryptography
Key generation
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Alice generates an efficient description of a
multiplicative cyclic group G, of order q, with generator

g.
Alice chooses a random x, from {0, . . . , q 1}.
Alice computes h = g x .
Alice publishes h as her public key, along with the
description of G, q and g.
Alice retains x, as her private key which must be kept
secret.
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
42/80
Cryptography
Encryption/Decryption
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
To encrypt a message M, to Alice under: (G, q, g, h).

Bob chooses a random y , from {0, . . . , q 1}.
Bob calculates an ephemeral key s = hy = g xy .
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Using the ephemeral key, Bob converts the plaintext m
into a chiphertext m0 : m0 = m s.
Bob sends the ciphertext (c1 , c2 ) = (g y , m0 ) to Alice.
To decrypt a ciphertext, alice calculates the ephemeral
key using its secret key: s = (c1 )x .

To recover the plaintext: m = c2 s 1 .
The decryption algorithm produces the intended
message, since
c2 s1 = m (h)y (g xy )1 = m g xy g xy = m.
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
43/80
Cryptography
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
Hash Functions
Key Distribution
Hash constructions
DH & ElGamal
3 Elliptic Curves
Definition
Multiplying Points
EC over Fp
4 ECC
Digital Signature
Key Exchange
Encryption Scheme
Outline
44/80
Cryptography
Definition
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
Definition
An elliptic curve E is defined in a standard, two dimensional x, y Cartesian
coordinate system:
E : y 2 = f (x) for a cubic or quartic polynomial f (x).
If we use a cubic form, after a change of variables, the equation takes the simpler
form:
E : y 2 = x 3 + ax + b.
The definition of elliptic curve also requires that the curve be non-singular.
Geometrically, this means that the graph has no cusps, self-intersections, or
isolated points.
Algebraically, this involves calculating the discriminant
= 16(4a3 + 27b2 )
The curve is non-singular if and only if the discriminant is not equal to zero.
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
For different values of a and b

the graphs have various forms.
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Figura: Shape of Elliptic Curves
Cha & Cheons IBS
45/80
Cryptography
Point Addition I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
The crucial property of an elliptic curve is that we can
define a rule for adding two points which are on the

curve to obtain a third point which is also on the curve.
This addition rule satisfies the normal properties of
addition.
Definition
Multiplying Points
EC over Fp
ECC
In math jargon, the points and the addition law form a
finite Abelian group.
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
46/80
Cryptography
Point Addition II
Cryptographic
Tools
Symmetric-key
cryptography
E : Y2 = X3 5X + 8
R
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
P+Q
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Figura: Addition of two points
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
47/80
Cryptography
Point Addition Algebraically

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Consider two distinct points P = (Px , Py ) and
Q = (Qx , Qy ).
We want to compute R = P + Q.
Where R = (Rx , Ry ) and R = (Rx , Ry ).
Notice that we can form two equations to express a and
b as a function of the coordinates of P and Q.
The equation of the PQ line is: (y Py ) = s(x Px )
Where s is the slope of the line:
s = (Py Qy )/(Px Qx )
Then, we can use the equations of the line and the
elliptic curve equations to find Rx .
Rx = s2 Px Qx
Finally, using the line equation and Rx :
Ry = Py + s(Px Rx )
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
48/80
Cryptography
Definition of Zero I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
To complete the addition operation we need to add an
extra point: O.
This point should have the property that: P + (P) = O
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Geometrically, the point O lies on a vertical line.

Vertical lines have not a third intersection point.
O can be interpreted as a point at infinity.
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
49/80
Cryptography
Definition of Zero II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
Q = P
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Figura: O point
Boneth and
Franklins IBE
Cha & Cheons IBS
50/80
Cryptography
Doubling a Point
Idea
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
We use the points tangent line.
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
2*P
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
51/80
Cryptography
Doubling a Point Algebraically

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Consider the point P such that P = (Px , Py ).

We want to compute R = 2 P.
Where R = (Rx , Ry ) and R = (Rx , Ry ).
To do so:
We have a point P of the elliptic curve y 2 = x 3 + ax + b.
We obtain a equation for the tangent line:
(y Py ) = s(x Px ).
dy
3x 2 +a
2
Where the slope s is: 2y dy
dx = 3x + a dx = 2y
Then, we can use the line and elliptic curve equations
to find Rx :
Rx = s2 2Px
Finally, using the line equation and Rx :
Ry = Py + s(Rx Px )
Ry = Py + s(Px Rx )
Boneth and
Franklins IBE
Cha & Cheons IBS
52/80
Cryptography
Point Addition Properties

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
The addition law on E has the following properties:

(a)
(b)
(c)
(d)
P +O =O+P =P
for all P E.
P + (P) = O for all P E.
(P + Q) + R = P + (Q + R) for all P, Q, R E.
P + Q = Q + P for all P, Q E.
In other words, the addition law + makes the points of
E into a commutative group.
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
All of the group properties are trivial to check except for
the associative law (c).

The associative law can be verified algebraically.
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
53/80
Cryptography
Point Multiplication
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Now we can define a point multiplication by a scalar k :
k P.
The multiplication is defined as the sum of k copies of
P: 2 P = P + P ; 3 P = P + P + P ; etc.
Point multiplication fulfills:
(a + b)P = aP + bP
To find 17P we can use:
(2P) + P + P + P + P + P + P + P + P + P + P + P +
P +P +P +P
With less computation:
(2P)+(2P)+(2P)+(2P)+(2P)+(2P)+(2P)+(2P)+P
A faster computation:
2(2(2(2P)))) + P
Boneth and
Franklins IBE
Cha & Cheons IBS
54/80
Cryptography
Finite Fields
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
The elliptic curve operations previously defined are on
real numbers.
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Operations over the real numbers are slow and
inaccurate due to round-off error.

Cryptographic operations need to be faster and
accurate.
To make operations on elliptic curve accurate and more
efficient, the curve cryptography is defined over finite

fields.
In practice, two finite fields are used:
Prime field Fp .
Binary field F2m .
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
55/80
Cryptography
EC over Fp I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Fp is the field of integers modulo p, and consists of all
the integers from 0 to p 1.

If p is prime, Fp is the same as Zq .
An elliptic curve with the underlying field of Fp can
formed by choosing all the variables within the field of

Fp .
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
The elliptic curve includes all points (x, y ) which satisfy
the elliptic curve equation modulo p (where

a, b, x, y Fp ): y 2 m
od p = x 3 + ax + b m
od p
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
56/80
Cryptography
EC over Fp II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
We define the same operations that in R.

Point Addition (P+Q):
(P + Q)x = s2 2Px m
od p
(P + Q)y = Py + s(Px Rx ) m
od p
s = (Px Qx )/(Py Qy ) m
od p
Point Multiplication (2P):
(2P)x = s2 2Px m
od p
(2P)y = Py + s(Px Rx ) m
od p
s=
3Px2 +a
2Py
m
od p
With 4a3 + 27b 2 m

od p 6= 0.
An important result is that adding two points of an
elliptic curve under Fp yields another point in the

curve in Fp .
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
57/80
Cryptography
Example E over F5
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
If we take E : y 2 = x 3 + 2x + 3 mod 5
x
x
x
x
x
= 0 y2
= 1 y2
= 2 y2
= 3 y2
= 4 y2
= 3 no solution mo
d 5
= 6 = 1 y = 1, 4 m
od 5
= 15 = 0 y = 0 m
od 5
== 36 = 1 y = 1, 4 m
od 5
= 75 = 0 y = 1, 4 m
od 5
Then points on the elliptic curve are (1, 1)(1, 4)(2, 0)(3, 1)(3, 4)(4, 0) and
the point at infinity .
Notice that like in R there are two points for every x value (except for points
on the x-axis (y=0)).
Recall that elliptic curves over real numbers, there exists a negative point for
each point which is reflected through the x-axis.
Over the finite field F5 , the negative components in the y-values are taken
modulo 5: P = (Px , (Py m
od 5)).
What is (1, 4) + (3, 1) = Q = (Qx , Qy )?
s = (1 4) (3 1)1 = 3 21 = 2(3) = 6 = 1 mo
d 5
Qx = 1 1 3 = 2 m
od 5
Qy = 1(1 2) 4 = 0 m
od 5
On this curve: (1, 4) + (3, 1) = (2, 0).
Boneth and
Franklins IBE
Cha & Cheons IBS
58/80
Cryptography
The group G and ECDL I

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
To form a group G over the EC we must choose a generator

or base point G.
Then, to generate the members of the group we compute
k G with k = 1, 2, ...
Notice that unlike the groups used in the classic algorithms,
the elements of the multiplicative group arent integers, but
points (x, y ).
If we carry on computing G + G + G... for long enough, we
will finally get a result of O, since the number of curve
points is finite.
That is to say, there will be a number n such that
(n 1)G = (Gx , Gy ) = P.
The least n for which n P = O is true is called the order of P.
There is a result that says that if a point has order n which is
a large prime then, the number of points on the curve
#E(Fp ) is h n for some integer h (cofactor not divisible by
n).
59/80
Cryptography
The group G and ECDL II

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
For efficiency reasons, it is desirable to take the cofactor h to

be as small as possible (in particular h = 1).
An important fact is that if we find a G for generating the
group whose order is a prime number n, then computing k
from k G and G takes roughly 2(n/2) operations.
This means that public keys and signatures can be much
smaller than with RSA for the same predicted security.
This inverse operation to point multiplication is called the
Elliptic Curve Discrete Logarithm Problem (ECDL).
The ECDL problem is intractable.
ECC arranges itself so that your operations such encrypting
a message with the public key or decrypting it with the
private key are based on point multiplication.
However, to guess the decryption key you need to solve the
ECDL problem.
Boneth and
Franklins IBE
Cha & Cheons IBS
60/80
Cryptography
EC domain parameters for Fp

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
The elliptic curve domain parameters over Fp are a
sextuple: T = (p, a, b, G, n, h)
Where:
p is the order of the curve, that is to say, an integer
specifying the finite field Fp .

a, b Fp specify the elliptic curve E(Fp ) defined by the
equation: E : y 2 = x 3 + ax + b m
od p
A base or generator point G = (Gx , Gy ) on E(Fp ).

A prime number n which is the order of the point G.
An integer h which is the cofactor h = #E(Fp )/n.
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
61/80
Cryptography
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
Hash Functions
Key Distribution
Hash constructions
DH & ElGamal
3 Elliptic Curves
Definition
Multiplying Points
EC over Fp
4 ECC
Digital Signature
Key Exchange
Encryption Scheme
Outline
62/80
Cryptography
Motivation
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
Main motivation
Elliptic curve cryptography (ECC) offers considerably
greater security than other existing asymmetric
cryptographic schemes for a given key size.
DH & ElGamal
Elliptic Curves
Cuadro: Key length equivalents (source Certicom)
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
ECC
163
256
384
512
RSA
1024
3072
7680
15360
AES
128
192
256
Motivation today: more functinality!
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
63/80
Cryptography
ElGamal ECC version

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Let us assume that we have a group G over an elliptic
curve and a generator point P.
Hash constructions
Classic
Asymmetric
Crytography
Let (dB , QB ) be the key pair of Bob.

Alice generates a random value k .
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Alice sends the pair (kG, M + (kQB )x ) to encrypt a
message M to Bob.
To decrypt the ciphertext, Bob:
Takes kG and computes dB kG.
M = (M + (kQB )x ) (dB kG)x = M
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
64/80
Cryptography
ECDH I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Elliptic Curve Diffie-Hellman (ECDH) is a key
agreement protocol.
ECDH allows two parties to establish a shared secret
key that can be used for private key algorithms.

Both parties exchange some public information to each
other.
Using this public data and their own private data these
parties calculates the shared secret.
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Any third party, who doesnt have access to the private
details of each device, will not be able to calculate the

shared secret from the available public information.
Both ends have a key pair consisting of a private key d
(a randomly selected integer less than p, where p is the

order of the curve.
Cha & Cheons IBS
65/80
Cryptography
ECDH II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Let (dA , QA ) be the key pair of Alice and (dB , QB ) be
key pair of Bob.

Then,
Alice computes K = (Kx , Ky ) = dA QB .

Bob computes L = (Lx , Ly ) = dB QA .
Since dA QB = dA dB G = dB dA G = dB QA .
Therefore K = L and hence xK = xL.
Hence the shared secret is xK .
Since it is practically impossible to find the private key
dA or dB from the public key K or L, its not possible to
obtain the shared secret for a third party.
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
66/80
Cryptography
ECIES I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Elliptic Curve Integrated Encryption Scheme (ECIES),
also known as Elliptic Curve Augmented Encryption

Scheme or simply the Elliptic Curve Encryption
Scheme.
The scheme is based on DiffieHellman problem.
Two versions of the IES are standardized: Discrete
Logarithm Integrated Encryption Scheme (DLIES) and

Elliptic Curve Integrated Encryption Scheme (ECIES).
Here we discuss ECIES but these two versions are
identical up to the change of an underlying group.
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
67/80
Cryptography
ECIES II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
ECIES provides message condifenciality and integrity.
To do so it requires the following:

A Key Derivation Function (KDF).
KDFs are often used in conjunction with non-secret
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
parameters to derive one or more keys from a common

secret value.
This is sometimes also referred to as key
diversification.
ECIES defines a Message Authentication Code (MAC)
and uses a symmetric encryption scheme E.
ECIES uses a group in an Elliptic Curve.
As usual, the Bobs key pair is (dB , QB ).
Typically (but it is optional), the algorithm also uses a
couple of public parameters: s1 and s2.
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
68/80
Cryptography
ECIES III
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
To encrypt a message m, Alice does the following:

Generates a random number r (1, n 1) and calculates
R = rG;
Derives a shared secret: s = Px , where P = (Px , Py ) = r QB
and P 6= O.
Uses the KDF to derive the symmetric encryption and MAC
keys: {kE , kM } = KDF (s|s1 ).
Encrypts the message: c = E(kE , m).
Computes the MAC: d = MAC(kM , c|s2 ).
Outputs (R, c, d).
To decrypt the ciphertext (R, c, d) Bob does the following:

Derives the shared secret: S = Px where
P = (Px , Py ) = dB R.
This is the same as the one Alice derived because
P = d B R = r QB .
Derives the keys: {kE |kM } = KDF (s|s1 ).
Uses the MAC key to check that d = MAC(kM , c|s2 ).
Uses the symmetric encryption scheme to decrypt the
message m = E 1 (kE , c).
Cha & Cheons IBS
69/80
Cryptography
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
Hash Functions
Key Distribution
Hash constructions
DH & ElGamal
3 Elliptic Curves
Definition
Multiplying Points
EC over Fp
4 ECC
Digital Signature
Key Exchange
Encryption Scheme
Outline
70/80
Cryptography
Introduction I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Basic concept:
Alice (the sender) can use any receivers information
such as email, an IP address or even a digital image to
encrypt a message.
Bob (the receiver) can decrypt the ciphertext.
To do so, Bob has to obtain a private key associated
with his identifier information from a TTP.
This TTP is called Private Key Generator (PKG).
This concept was proposed by Shamir in 1984 [xx].
Shamir easily constructed an identity-based signature
(IBS) scheme [xx] using the existing RSA [yy] function.
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
However, he was unable to construct an identity-based
encryption (IBE) scheme.

This became a long-lasting open problem and there is
not any proposed IBE sheme based on RSA up to now.
Cha & Cheons IBS
71/80
Cryptography
Introduction II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
After 17 years, in 2001, Shamirs open problem was
independently solved by Boneh-Franklin and by Cocks.

Cocks mathematical primitive were Quadratic
Residues (a variant of the problem of integer

factorization).
Boneh and Franklins mathematical primitive were
bilinear pairings.
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Today, it is accepted that bilinear pairings are more
efficient than quadratic residues.

Thanks to the application of bilinear pairings to IBC
today this is a handy and useful cryptographic

technique used for securing many different scenarios.
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
72/80
Cryptography
Bilinear Pairings I
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Let G1 and G2 be two groups of order q for some large
prime q.
The group G1 is subgroup of the additive group of
points of an elliptic curve E/Fp .

The group G2 is a subgroup of the multiplicative group
of a finite field Fp2 .
The Boneth and Franklins IBE Scheme makes use of a
bilinear map : G1 G1 G2 between these two

groups.
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
73/80
Cryptography
Bilinear Pairings II
Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
We can find maps in elliptic curves that satisfy the
following properties:
Bilinear: We say that a map : G1 G1 G2 is
bilinear if (aP,bQ) = (P,Q)ab
for all P, Q G1 and all a, b Z.
2 Non-degenerate: The map does not send all pairs in
G1 G1 to the identity in G2 .
Observe that since G1 and G2 are groups of prime
order, this implies that if P is a generator of G1 then
(P,P) is a generator of G2 .
3 Computable: There is an efficient algorithm to compute
(P,Q) for any P, Q G1 .
1
Identity-based
cryptography
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
74/80
Cryptography
Cryptographic
Tools
Bilinear Diffie-Hellman
Assumption
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Bilinear pairings gave rise to the following computational

problem called Bilinear Diffie-Hellman (BDH) problem:
Given (G1 , q, , P, aP, bP, cP), where P G1 and a, b,
and c are chosen at random from Zq .
Notice that we can compute (P, P)ab ,(P, P)ac and
(P, P)bc (by the pairing properties).

The BDH assumption says that compute (P, P)abc is
intractable with the given parameters.

The security of many identity-based cryptographic
schemes in the current literature depends on the BDH

assumption (or its variations).
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
75/80
Cryptography
A Key Agreement protocol

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
The following is a simple and nice Key Agreement
protocol for three entities proposed by Joux [xx] (this is

not yet Identity cryptography).
Suppose that Alice, Bob, and Chris have private/public
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
Introduction
key pairs (a, aP), (b, bP), and (c, cP) where a, b and
c Zq and are chosen at random.
aP ,bP, and cP G1 .
Without the bilinear pairing, to share the same key, a
number of interactions must be conducted by the three
persons.
With bilinear pairing just one round is needed.
Alice, Bob, and Chris compute respectively
(bP, cP)a ,(aP, cP)b and (aP, bP)c .
It is easy to see that they are the same value, in fact
equal to (P, P)abc .
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
76/80
Cryptography
Boneth & Franklins IBE I

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
In the Setup Stage the PKG:

Selects P G1 .
Where G1 = G1 /{O} (O is the identity element of the
group).
Specifies the bilinear pairing : G1 G1 G2 .
Specifies a hash function H1 : {0, 1} G1 .
Specifies a hash function H2 : {0, 1}l G1 .
Where l denotes the length of the plaintext.
Picks a master key s Zq at random and computes a
public key Ppkg = sP.
Publishes the descriptions of G1 , G2 , H1 and H2 .
Publishes the public key Ppkg .
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
77/80
Cryptography
Boneth & Franklins IBE II

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
The basic protocol to encrypt is:

The PKG publishes descriptions of the group G1 and G2
and the hash functions H1 and H2 as well as Ppkg .
Bob, the receiver has a:
public key: Qbob = H1 (ibob ) where Qbob G1 (a point).
private key: Dbob = sQbob where Dbob G1 (a point).
Alice, the sender, can now encrypt a message m to Bob
using Bobs identity i:
U = rP
V = H2 ((Qbob , Ppkg )r ) m
Where r is chosen at random from Zq .
The resulting ciphertext C = (U, V ) is sent to Bob.
Bob decrypts C by computing m = V H2 ((Dbob , U)).
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
78/80
Cryptography
Cha & Cheons IBS I

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Key Exchange
Encryption Scheme
Identity-based
cryptography
The Cha and Cheons [yy] IBS scheme is based on the
bilinear pairing.
In the setup stage, the PKG specifies a group G
generated by P G and the Bilinear map

: G1 G1 G2 .
It also specifies two hash functions H1 , h2 .

The PKG then picks a master key s uniformly at
random from Zq
The PKG computes a public key Ppkg = sP and
publishes descriptions of the groups G1 , G2 , the public

key Ppkg , and the hash functions H1 and h2 .
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
79/80
Cryptography
Cha & Cheons IBS II

Cryptographic
Tools
Symmetric-key
cryptography
Public-key
cryptography
Hash Functions
Key Distribution
Hash constructions
Classic
Asymmetric
Crytography
DH & ElGamal
Elliptic Curves
Definition
Multiplying Points
EC over Fp
ECC
Digital Signature
Alice, the signer, then contacts the PKG to get his
private key Dalice = sQalice where Qalice = H1 (ialice ).

Alice can create a signature on a message m by
computing:
U = rQalice
V = (r + h)Dalice
r is chosen at random from Zq .
h = h2 (m, U) where h Zq .
Bob, the verifier, can verify the validity of Alices
signature (U, V ) by checking:
Key Exchange
Encryption Scheme
Identity-based
cryptography
(P, V ) = (Ppkg , U + hQalice )
Introduction
Bilinear Pairings
Boneth and
Franklins IBE
Cha & Cheons IBS
80/80

Criptografia Asimetrica PDF

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Criptografia Asimetrica PDF

Încărcat de

Drepturi de autor:

Formate disponibile

Cryptography

Dr. Jose L. Muoz

Version: 11 2011-02-21 19:27:38Z

Symmetric-key cryptography is sometimes also called

to encrypt and to decrypt data.

secret key that is used to encrypt and decrypt the

algorithm S to M using the key K :

Cha & Cheons IBS

DES [?] (Digital Encryption Standard) and its extended

version Triple-DES [?] (3DES) have been the most

has been designated as the successor of DES.

simpler and faster than the public-key ones.

Their main drawback is that the two parties must

somehow exchange the symmetric key in a secure way,

Public-key cryptography (PKC) is asymmetric.

the symmetric cryptography, which uses only one key.

distribution problem because the public key can be

It is computationally easy for a party B to generate a

It is computationally easy for a sender A, knowing the

Asymmetric-key cryptography III

There are also public-key systems that meet another

interesting property: either of the two related keys can

the senders private key or the receivers public key, or

Cha & Cheons IBS

block of data that is a function of the

Some public-key algorithms are suitable for all three

applications, whereas others can be used only for one

Used in informatics in efficient database searching

One Way Hash Functions

In security, we use non-invertible hash funcions also

called One Way Hash Functions (OWHF).

A OWHF is a function that takes a variable length input

(pre-image), and computes a fixed-length output string

message (pre-image) with that hash.

about a message with that hash, not even a single bit.

to determine two messages which produce the same

Cha & Cheons IBS

One Way Hash Functions

One important role of OWHFs in cryptography is in the

provision of digital signatures.

digital signature algorithms, it is typical to compute the

Additionally, a digest can be made public without

revealing the contents of the document from which it is

H can be applied to a block of data of any size.

One Way Hash Functions

H(M) is relatively easy to compute for any given M,

Examples of well-known hash functions are MD5 [?]

and SHA-1 (Secure Hash Algorithm-1) [?].

Symmetric keys distribution I

Symmetric keys distribution II

Trivial solution: If there is

N users, there must be

are known as Key

Alice and Bob need a shared symmetric key

Cha & Cheons IBS

Symmetric keys distribution III

KDC shares a symmetric key with each registered

Symmetric keys distribution IV

How is shared key created?

The most simple protocol is next:

KA-KDC(Ks , KB-KDC(A, Ks) )

Alice y Bob can communicate each other using