Cryptography Reference
In-Depth Information
Any such pair of points can be combined to obtain a point mod
n
.There
is a technicality with points at infinity, which is discussed in Section 2.11.
3. Using (6.1), we see that the order of
E
(
Z
n
)is#
E
(
F
p
)
·
#
E
(
F
q
). By
Proposition 4.33,
E
is supersingular mod
p
and mod
q
, so we find (by
Corollary 4.32) that
#
E
(
F
p
)=
p
+1 and #
E
(
F
q
)=
q
+1
.
Therefore, (
p
+1)
M
=
(mod
q
). This
means that the decryption works: Write
de
=1+
k
(
p
+1) for some
integer
k
.Then
∞
(mod
p
)and(
q
+1)
M
=
∞
dC
=
deM
=(1+
k
(
p
+1))
M
=
M
+
k
(
p
+1)
M
=
M
+
∞
=
M
(mod
p
)
,
and similarly mod
q
. Therefore,
dC
=
M
.
4. A key point of the procedure is that the group order is independent
of
b
. If Bob chooses a random elliptic curve
y
2
=
x
3
+
Ax
+
B
over
Z
n
, then he has to compute the group order, perhaps by computing it
mod
p
and mod
q
. This is infeasible if
p
and
q
are chosen large enough
to make factoring
n
infeasible. Also, if Bob fixes the elliptic curve,
Alice will have diculty finding points
M
on the curve. If she does
the procedure of first choosing the
x
-coordinate as the message, then
solving
y
2
≡ m
3
+
Am
+
B
(mod
n
)for
y
, she is faced with the problem
of computing square roots mod
n
. This is computationally equivalent to
factoring
n
(see [121]). If Bob fixes only
A
(the formulas for the group
operations depend only on
A
) and allows Alice to choose
B
so that her
point lies on the curve, then his choice of
e, d
requires that the group
order be independent of
B
. This is the situation in the above procedure.
If Eve factors
n
as
pq
, then she knows (
p
+1)(
q
+ 1), so she can find
d
with
ed ≡
1(mod(
p
+1)(
q
+ 1)). Therefore, she can decrypt Alice's message.
Suppose that Eve does not yet know the factorization of
n
, but she finds
out the decryption exponent
d
. We claim that she can, with high probability,
factor
n
. She does the following:
1=2
k
v
with
v
odd and with
k
1. Writes
ed
−
≥
1(
k
=0since
p
+1 divides
ed
−
1).
2. Picks a random pair of integers
R
=(
r
1
,r
2
)mod
n
,lets
b
=
r
2
− r
1
,
and regards
R
as a point on the elliptic curve
E
given by
y
2
=
x
3
+
b
.
3. Computes
R
0
=
vR
.If
R
0
=
∞
mod
n
, start over with a new
R
.If
R
0
is
∞
mod exactly one of
p, q
, then Eve has factored
n
(see below).
4. For
i
=0
,
1
,
2
,...,k
, computes
R
i
+1
=2
R
i
.
Search WWH ::
Custom Search