Cryptography Reference
In-Depth Information
3. Computes H 2 ( C, k 2 ). If it does not equal t , Bob stops and rejects the
ciphertext. Otherwise, he continues.
4. Computes m = D k 1 ( C ), where D k 1 is the decryption function for E k 1 .
An important feature is the authentication procedure in step (3) of the de-
cryption. In many cryptosystems, an attacker can choose various ciphertexts
and force Bob to decrypt them. These decryptions are used to attack the sys-
tem. In the present system, the attacker can generate ciphertexts by choosing
C and k 2 andthenletting t = H 2 ( C, k 2 ). But the attacker does not know Z ,
so he cannot use the same value k 2 that Bob obtains from H 1 ( R, Z ). There-
fore, it is very unlikely that t = H 2 ( C, k 2 ) will equal t = H 2 ( C, k 2 ). With
very high probability, Bob simply rejects the ciphertext and does not return
a decryption.
In our description of the procedure, we used hash functions for the au-
thentication. There are other message authentication methods that could be
used.
An advantage of ECIES over the Massey-Omura and ElGamal public key
methods is that the message is not represented as a point on the curve. More-
over, since a keyed symmetric method is used to send the message, we do not
need to do a new elliptic curve calculation for each block of the message.
6.8 A Public Key Scheme Based on Factoring
Most cryptosystems using elliptic curves are based on the discrete log prob-
lem, in contrast to the situation for classical systems, which are sometimes
based on discrete logs and sometimes based on the di culty of factorization.
The most famous public key cryptosystem is called RSA (for Rivest-Shamir-
Adleman) and proceeds as follows. Alice wants to send a message to Bob. Bob
secretly chooses two large primes p, q and multiplies them to obtain n = pq .
Bob also chooses integers e and d with ed ≡ 1(mod( p− 1)( q − 1)). He makes
n and e public and keeps d secret. Alice's message is a number m (mod n ).
She computes c ≡ m e (mod n ) and sends c to Bob. Bob computes m ≡ c d
(mod n ) to obtain the message. If Eve can find p and q , then she can solve
ed
1)) to obtain d . It can be shown (by methods similar
to those used in the elliptic curve scheme below; see [121]) that if Eve can
find the decryption exponent d , then she probably can factor n . Therefore,
the di culty of factoring n is the key to the security of the RSA system.
A natural question is whether there is an elliptic curve analogue of RSA. In
the following, we present one such system, due to Koyama-Maurer-Okamoto-
Vanstone. It does not seem to be used much in practice.
Alice want to send a message to Bob. They do the following.
1(mod( p
1)( q
Search WWH ::




Custom Search