Math 480: Open Source Mathematical Software

2016-05-27

William Stein

**Lectures 27: Number Theoretic Public key crypto (part 3/3) **

Notes:

• 1: Today is the last day of this class.

• Your peer grading and final assignment are due at 6pm tonight.

• We will tell you what we think your grade should be and why soon, and you can double check that this agrees with what you think (or not respond).

• 2: 20 min -- Elliptic curve Diffie-Hellman, which is perhaps the best possible system for agreeing on a shared secret.

• 3: Finish homework, etc.

Elliptic Curve Diffie-Hellman

Neal Koblitz, a UW professor, co-introduced something called elliptic curve cryptography, which is possibly the best possible way to do public-key cryptography. (It's used heavily in bitcoin and web browsers!)

Recall, DH in the group $H=(\ZZ/p\ZZ)^*$, where $p$ is a prime number.

• 1: Chose element $g \in H$.

• 2: A and B generate random $a$ and $b$, and send each other $g^a$ and $g^b$.

• 3: The shared secret is $g^{ab}$.

DH in any multiplicative group $H$.

• 1: Chose element $g \in H$.

• 2: A and B generate random $a$ and $b$, and send each other $g^a$ and $g^b$.

• 3: The shared secret is $g^{ab}$.

DH in an additive group $E$.

• 1: Chose element $P \in E$.

• 2: A and B generate random $a$ and $b$, and send each other $aP = P + \cdots + P$ ($a$ times), and $bP$.

• 3: The shared secret is $abP$.

A bad example of an additive group: $E=\ZZ/p\ZZ$.

But easy to crack, since given $aP$ and $P$, can instantly compute $a$!

A much better additive abelian group -- the set of points over $\ZZ/p\ZZ$ on an elliptic curve. E.g., $$E = \{(x,y) : y^2 \equiv x^3 - 3x + b \pmod{p} \} \cup \{\infty\},$$ where $p=6277101735386680763835789423207666416083908700390324961279$ and $b=2455155546008943817740293915197451784769108058161191238065$. (This is NIST curve Curve P-192.)

That $E$ can be given the structure of (interesting) additive abelian group is fairly deep, and I won't explain it to you.

That the cardinality $\#E$ can be computed so quickly is AMAZING and deep, and critical to elliptic curve crypto being practical. I won't explain this either. The algorithm was discovered by the guy (Rene Schoof) in the middle in the picture on the right.