Introduction to Public-Key Cryptography

1.6 Protocols

need to have a short representation of group elements needingO(lg)space and the group operation Q⊕Rneeds to be performed efficiently for any inputQ, R ∈ G. The complexity of computing the DL is studied in Chapter 19. Note that the computation of the order ofP is a special instance for the DLP, namelyord(P) = log_P1, where1is the neutral element inG. Techniques for scalar multiplication are studied in Chapter 9. For groups based on elliptic and hyperelliptic curves, see Chapters 13 and 14.

1.5.2 Discrete logarithm systems with bilinear structure

Some groups have an additional structure that can either be considered a weakness, as it allows transfers (see below), or an advantage, as it can be used constructively in special protocols (cf.

Section 24.1.2).

Definition 1.14 Assume that a DL system is given by(G,⊕)a group of prime orderand that there is a group(G,⊕)of the same orderin which we can compute “as fast” as inG. Assume moreover that(H,)is another DL system and that a map

e:G×G→H satisfies the following requirements:

• the mapeis computable in polynomial time (this includes that the elements inH need onlyO(lg)space),

• for alln1, n2∈Nand random elements(P1, P₂)∈G×Gwe have e([n1]P1,[n2]P₂) = [n1n2]e(P1, P₂),

• the mapeis nondegenerate. Hence, for randomP ∈Gwe havee(P1, P) =e(P2, P) if and only ifP1=P2.

Then we call(G, e)aDL system with bilinear structure.

There are two immediate consequences:

• Assume thatG=Gand hence

e(P, P)= 0.

Then for all triples (P1, P2, P3) ∈ P³ one can decide in time polynomial in lg whether

log_P(P₃) = log_P(P₁) log_P(P₂).

• The DL systemGis at most as secure as the systemH. Even ifG=Gone can transfer the DLP inGto a DLP inH, provided that one can find an elementP ∈Gsuch that the mapP →e(P, P)is injective, i.e., it induces an injective homomorphism ofGinto a subgroup ofH. Hence, instead of solving the DLP inGone transfers the problem to H where it might be easier to solve.

1.6 Protocols

This book is concerned with cryptographic applications of elliptic and hyperelliptic curves. So far we have described DL systems in an abstract setting. In this section we motivate that groups are a good choice and show how two or more parties can agree on a joint secret key, exchange encrypted

10 Ch. 1 Introduction to Public-Key Cryptography

data, and sign electronically. We also show how the identity of a participant can be used to form his public key.

But this book isnotmainly concerned with protocols. We just show the bare-bones schoolbook protocols. Their use is twofold: they should motivate the reader to consider DL systems in more detail and at the same time highlight which computational problems need to be solved in order to get fast cryptographic systems. For an actual implementation one needs to take care not to weaken the system in applying a flawed protocol. For a great overview consider [MEOO⁺1996].

1.6.1 Diffie–Hellman key exchange

The publication of Diffie and Hellman’s seminal paperNew directions in cryptography[DIHE1976]

can be seen as the start of public-key cryptography in public. We describe the Diffie–Hellman (DH)protocol for an abstract group(G,⊕). In their paper they proposed the multiplicative group of a finite prime field (cf. Example 1.13).

The two parties Alice (A) and Bob (B) have the public parameters(G,⊕, P)and want to agree on a joint key that is a group element. Once they are in the possession of such a joint secretPkthey can use akey derivation functionto derive a bit-string useful as a key in a symmetric system. To this aimAsecretly and randomly choosesaA∈RN(∈Rmeans choosing at random) and computes PA = [aA]P while B ends up with PB = [aB]P. They publicly exchange these intermediate results. If the DLP (cf. Section 1.5) is hard inGone cannot extractaAfromPA oraB fromPB. Upon receivingPB,AcomputesPk = [aA]PB = [aAaB]P. NowBcan obtain the same result as [aB]PA = [aBaA]P, thus they are both in possession of a group elementPk, which should not be computable from the public valuesPAandPB.

Clearly, this last assumption does not hold if the DLP in(G,⊕)is easy. The problem of comput- ing[aAaB]P given[aA]Pand[aB]Pis called thecomputational Diffie–Hellman problem (CDHP).

Maurer and Wolf [MAWO1999] study the equivalence of the CDHP and the DLP. An important tool in their proof are elliptic curves of split group order. They show that if such curves can be found, then an oracle to solve the CDHP can be used to solve DLP in polynomially many steps. For groups related to elliptic curves this question is studied in [MUSM⁺ 2004].

In most DL systems it is also hard to verify whether a proposed solution to the CDHP is correct.

The problem given[aA]P,[aB]Pand[c]Pto decide whether[c]P = [aAaB]Pis called thedecision Diffie–Hellman problem (DDHP). Obviously, it is no harder than CDHP. For the DLP a decision version is not useful to consider as one could simply try the pretended solution.

If(G,⊕)is a DL system with bilinear structure (Section 1.5.2), the DDHP can easily be solved by comparinge([aA]P,[aB]P) = [aAaB](e(P, P))toe(P,[c]P) = [c](e(P, P)). Groups in which the CDHP is assumed to be hard while the DDHP is easy are calledGap-Diffie–Hellman groups.

As usual the presented version isnot ready to implement. An eavesdropper Eve (E) could inter- cept the communication and act as Bob for Alice sending[aE]Pto her and as Alice for Bob sending her key to him as well. Then she would have a joint keyPk,Awith Alice and one with BobPk,B. Hence, she can decipher any message from Alice intended for Bob and encipher it again for Bob usingPk,B. This way, no party would notice her presence and she could read any message. This attack is called theman-in-the-middleattack.

1.6.2 Asymmetric Diffie–Hellman and ElGamal encryption

The Diffie–Hellman key exchange requires that both parties to work online, i.e., they are both active at the same time. The following two protocols are asymmetric also in the sense that the sender and the receiver perform different steps and that there are two different keys — a private key and a public key.

§ 1.6 Protocols 11

If the DLP is hard in(G,⊕)then Alice could just as well publish her public keyPA= [aA]P in a directory. The process of computing the public and private key pair is calledkey generation. The systems described in this section require that the receiver of the message has already set up and published his public key. The problem of how to make accessible this data and put confidence in the link betweenAand her public key is considered in the literature on public-key infrastructure (PKI).

Algorithm 1.15 Key generation INPUT:The public parameters(G,⊕, P). OUTPUT:The public keyPAand private keyaA.

1. aA∈RN [chooseaat random inN]

2. PA←[aA]P 3. return PAandaA

The random choice should be done by the computing device to avoid biases introduced by humans, like choosing small numbers to facilitate the computations. In Chapter 30 we deal with random number generators.

If Bob wants to send the messagemto Alice, he looks up her public key in a directory. He can perform an asymmetric version of the Diffie–Hellman key exchange if there is a mapψ : G → K from the group to thekeyspaceK and a symmetric cipher Eκ depending on the key κ. The decryption function, i.e., the inverse ofEκ, is denoted byDκ.

Algorithm 1.16 Asymmetric Diffie–Hellman encryption

INPUT:A messagem, the public parameters(G,⊕, P)and the public keyPA∈G. OUTPUT:The encrypted message(Q, c).

1. k∈RN 2. Q←[k]P 3. Pk←[k]PA

4. κ←ψ(Pk) 5. c←Eκ(m) 6. return (Q, c)

To decrypt, Alice computesPk = [aA]Q, using her private keyaA, from which she determines κ=ψ(Pk). She recovers the plaintext asm=Dκ(c).

The randomly chosennoncek∈RNmakes this arandomized encryption.

If there is an invertible mapϕfrom the message spaceMtoGone can also useElGamal encryption.

Algorithm 1.17 ElGamal encryption

INPUT:A messagem, the public parameters(G,⊕, P)and the public keyPA∈G. OUTPUT:The encrypted message(Q, c).

1. k∈RN 2. Q←[k]P 3. Pk←[k]PA

12 Ch. 1 Introduction to Public-Key Cryptography

4. R←Pk⊕ϕ(m) 5. return (Q, R)

To decrypt, Alice usesPk = [aA]Qand computesm=ϕ⁻¹(RPk).

Note that by this method one can only encrypt messages of size at mostlg, whereis the order ofG. It is possible to encrypt longer messages using a mode of operation making multiple calls to the Algorithm 1.17; however, this is hardly ever done because of the relative slowness of this encryption scheme. Instead the transmitted messagemwill act as a secret key in some following symmetric encryption.

1.6.3 Signature scheme of ElGamal-type

An electronic signature should bind the signer to the content of the signed message. Ahash function (see [MEOO⁺ 1996]) is a maph:S→T between two setsS, T, where usually|S|>|T|, e.g., the input is a bit-string of arbitrary length and the output has fixed length.

Additional properties are required fromcryptographic hash functions:

• Preimage resistant: for essentially all outputst∈ T it is computationally infeasible to find anys∈Ssuch thatt=h(s).

• 2nd-preimage resistant: for any givens1 ∈ Sit is computationally infeasible to find a differents2∈Ssuch thath(s1) =h(s2).

• Collision resistant: it is computationally infeasible to find any distinct inputss1, s2such thath(s1) =h(s2).

For practical use one requires the signature to be of fixed length no matter how long the signed message is. Therefore, one only signs the hash of the message. The hash function should be collision resistant as otherwise a malicious party could ask to sign some innocent messagem1and use the signature, which only depends onh(m1), as a signature for a different messagem2with h(m1) =h(m2). We shall also apply hash functions to elements of the groupG. Here, we assume that these are represented via a bit-string and thus writeh(Q)forQ∈G.

To compute an electronic signature, Alice must have performed Algorithm 1.15 in advance.

Algorithm 1.18 ElGamal signature

INPUT:A messagem, the public parameters(G,⊕, P)with|G|=and the private keyaA∈G. OUTPUT:The signature(Q, s)onm.

1. k∈RN 2. Q←[k]P 3. s←(k⁻¹`

h(m)−aAh(Q)´ mod) 4. return (Q, s)

§ 1.6 Protocols 13

Remarks 1.19

(i) In the signature scheme the short term secret, i.e., the random noncek, must be kept secret as otherwise the long-term secret, the private keyaA, can be recovered as

a_A≡h(Q)⁻¹(h(m)−sk) (mod ).

(ii) There are many variants of ElGamal signature schemes. Some have the advantage that one need not invertkmodulo the group order. This is especially interesting if one is concerned with restricted environments (cf. Chapters 27 and 26) as this way one avoids implementing modular arithmetic for two different moduli (finite field arithmetic for the group arithmetic and computations modulo). An overview of different schemes is provided in [MEOO⁺ 1996, Note 11.6]; e.g., the signature can also be given by

s=

kh(m) +aAh(Q) mod

with notations as above.

A signature can be verified by everybody.

Algorithm 1.20 Signature verification

INPUT:A messagem, its signature(Q, s)from Algorithm 1.18, the public parameters(G,⊕, P) where|G|=, and the public keyPA.

OUTPUT:Acceptance or rejection of signature.

1. R1←[h(Q)]PA⊕[s]Q 2. R2←[h(m)]P

3. if R1=R2return “acceptance”else return “rejection”

The algorithm is valid as a correct signature gets accepted. Namely,

R1= [h(Q)]PA⊕[s]Q= [aAh(Q)]P⊕[ks]P = [aAh(Q)+h(m)−aAh(Q)]P= [h(m)]P =R2. In Line 1 one can apply simultaneous multiplication techniques (cf. Chapter 9).

Depending on the special properties of the group it might be possible to transmit only some part ofQ. The standard for digital signatures (DSA) works in a subgroup of the multiplicative group of a finite field. For elliptic curves the standard is called theelliptic curve digital signature algorithm (ECDSA) [ANSIX9.62], an adaption of Algorithm 1.18. The German standard GECDSA avoids inversions modulo the group order. So far, there is no standard for hyperelliptic curves. A version analogous to the ECDSA can be found in [AVLA2005].

1.6.4 Tripartite key exchange

We now give an example of how the additional structure of a DL system with bilinear structure can be used in protocols. We come back to this study in Chapter 24 where we apply special bilinear maps for elliptic and hyperelliptic curves. Here, we show how three persons can agree on a joint secret group element using using two DL systems,(G,⊕)and(H,), ande, a bilinear map from G×GintoH and needing only one round [JOU2000]. Note that there are other protocols based on the usual DH protocol to solve this for arbitrarily many group members, but in two rounds [BUDE1995, BUDE 1997], and clearly the protocol as such is a schoolbook version that can easily be attacked by a man-in-the-middle attack.

14 Ch. 1 Introduction to Public-Key Cryptography

The following algorithm shows the computations done by personA.

Algorithm 1.21 Three party key exchange

INPUT:The public parameters(G,⊕, H,, P, e)with the bilinear mape. OUTPUT:The joint keyK∈H.

1. aA∈RN 2. PA←[aA]P 3. sendPAtoB,C 4. receivePB, PCfromB,C 5. K←[aA]`

e(PB, PC)´ 6. return K

Applying this algorithm,A,B, andCobtain the same element ofH as [a_A]

e(P_B, P_C)

= [a_Aa_Ba_C]

e(P, P)

= [a_B](e(P_A, P_C)) = [a_C]

e(P_A, P_B) .

Obviously, this protocol can be extended to more parties by the same methods as the DH protocol.