AN EXPLORATION OF MATHEMATICAL

APPLICATIONS IN CRYPTOGRAPHY

THESIS

Presented in Partial Fulfillment of the Requirements for the Degree Masters of

Mathematical Sciences in the Graduate School of the Ohio State University

By

Amy Kosek, B.S. in Mathematics

Graduate Program in Mathematical Sciences

The Ohio State University

2015

Thesis Committee:

James Cogdell, Advisor

Rodica Costin

c Copyright by

Amy Kosek

2015
 ABSTRACT

Modern cryptography relies heavily on concepts from mathematics. In this thesis

we will be discussing several cryptographic ciphers and discovering the mathematical

applications which can be found by exploring them. This paper is intended to be

accessible to undergraduate or graduate students as a supplement to a course in

number theory or modern algebra. The structure of the paper also lends itself to be

accessible to a person interested in learning about mathematics in cryptography on

their own, since we will always give a review of the background material which will

be needed before delving into the cryptographic ciphers.

ii
 ACKNOWLEDGMENTS

My sincerest thanks to Jim Cogdell for working with me as my advisor for this

thesis project. His encouragement and guidance during the last year has meant so

much to me, and I am exceedingly grateful for it. Working with him has been a

pleasure and an honor. Also, thank you to Rodica Costin for being a member of

my thesis committee and my academic advisor. I so appreciate all of the advice and

support she has given me during my time at OSU. Lastly, I would like to thank my

wonderful husband, Pete Kosek. He has loved and supported me through every part

of this process, and I wouldn’t be where I am today without him.

iii
 VITA

2013 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . B.S. in Mathematics,

The College at Brockport, SUNY

2013-Present . . . . . . . . . . . . . . . . . . . . . . . . . . Graduate Teaching Associate,

The Ohio State University

PUBLICATIONS

Benjamin D. Sokolowsky, Amy G. VanHooft, Rachel M. Volkert, and Clifford A.

Reiter. An Infinite Family of Perfect Parallelepipeds. Mathematics of Computation,
83(289):2441-2454, 2014.

FIELDS OF STUDY

Major Field: Mathematical Sciences

Specialization: Mathematics for Educators

iv
 TABLE OF CONTENTS

Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ii

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii

Vita . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iv

CHAPTER PAGE

1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Public-Key vs. Private-Key Ciphers . . . . . . . . . . . . . . . . . 2

2 Number Theory and the RSA Cipher . . . . . . . . . . . . . . . . . . . 5

2.1 Elementary Number Theory . . . . . . . . . . . . . . . . . . . . . 5

2.2 The RSA Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Cryptographic Systems Based on the Discrete Logarithm Problem . . . 20

3.1 The Discrete Logarithm Problem . . . . . . . . . . . . . . . . . . . 20

3.2 Diffie-Hellman Key Exchange . . . . . . . . . . . . . . . . . . . . . 25
3.3 ElGamal Cipher . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

4 Elliptic Curve Cryptography . . . . . . . . . . . . . . . . . . . . . . . . 34

4.1 Elliptic Curves . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

4.2 Diffie-Hellman Key Exchange for Elliptic Curves . . . . . . . . . . 41
4.3 ElGamal Cipher for Elliptic Curves . . . . . . . . . . . . . . . . . 43
4.4 The Elliptic Curve Digital Signature Algorithm . . . . . . . . . . . 45

Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

v
 CHAPTER 1

INTRODUCTION

1.1 Motivation

In cryptography people design systems which can be used for protecting data. A

cryptographic cipher can be used to encrypt information so that it cannot be read

except by the person who can decrypt it. It is as if you put the message which

you want safe into a box with a lock on it; that way only someone with the key to

the lock can read the message. Information security is an extremely important and

relevant problem in the world, particularly in this day and age in which so much of

our communication occurs over the internet. Think about the last time you paid for

something online with your credit card. Did you trust that your card information

was safe and that it couldn’t be stolen by someone intercepting it? It most likely was

safe, and that was most likely thanks to cryptography!

Modern cryptography relies heavily on concepts from number theory. We are

going to learn several different cryptographic ciphers and focus on what types of

mathematical concepts we can find by exploring them. Chapters 2 and 3 should be

very accessible to anyone who is familiar with elementary number theory or group

theory. In each of those chapters, we will do a brief refresher of the main mathe-

matical concepts which we will use before we jump into learning the cryptographic

ciphers. Chapter 4 will look into the study of elliptic curves and their applications to

1
cryptography. In that chapter we will give an introduction to elliptic curves before

studying the way they can be used in cryptographic ciphers. So you do not need

to have any prior exposure to elliptic curves to be able to study that section. It

may be helpful, however, to have some familiarity with finite fields in order to easily

understand the theory of elliptic curves which we will discuss.

1.2 Public-Key vs. Private-Key Ciphers

The main purpose of both public-key and private-key cryptographic ciphers is to be

able to send important or sensitive messages and information from party to party in

such a way that it cannot be intercepted or tampered with. Some examples could be

communicating military plans or banks sending information about money transfers.

Public-key and private-key ciphers provide two techniques for this. In each of these

types of ciphers we will discuss encryption keys and decryption keys. The encryption

key is what will be used to encode the message from “plaintext” into “ciphertext”,

whereas the decryption key is what will be used to decode the ciphertext back into

the plaintext message [1].

In a private-key cipher (also known as a symmetric cipher ) knowledge of the

encryption key is equivalent to knowledge of the decryption key. A simple example

of this is Caesar’s Cipher, which is a very simple shift cipher. To do this you take

each letter in your message and replace it with a different letter which is a fixed

number of places further in the alphabet. For example you could replace A with

E, B with F, C with G, etc. To decrypt the message you simply reverse shift the

letters the same fixed amount you used in the encryption. So anyone who knows

how the message was encrypted could decrypt it. Currently used symmetric ciphers

are far more complicated and provide far more security than Caesar’s Cipher. The

main idea to grasp at this point, however, is that in a private-key cipher both the

2
encryption key and decryption key must be kept secret from those who are not a

part of the communications at hand in order to ensure the cipher’s security. Because

of this encryption/decryption keys must be generated for pairs of people each time

they wish to communicate. One thing to note is that because the encryption key and

decryption key for a symmetric cipher are essentially equivalent we will sometimes

only refer to the cipher having a single key.

In contrast, public-key ciphers (also known as asymmetric ciphers) are devel-

oped in such a way that knowledge of the encryption key gives no information as to

what the decryption key is (at least not in any reasonable amount of computing time).

A way in which public-key ciphers are developed is by making use of a mathematical

problem which is “easy” in one direction, but “difficult” in the other direction. For

example, the RSA Cipher which we will discuss in the next chapter uses the notion

that multiplying two large primes together, each on the order of 1080 or larger, is

relatively easy in a computational sense, versus trying to factor a large number, say

on the order of 10160 or larger, into its prime factors, which is seemingly impossible

to do in any realistic amount of time. This may not make perfect sense now, but as

we move on to the sections describing the various public-key ciphers we will explain

how it works in greater detail.

The benefit of a public-key cipher is that one person, say Bob, could use it to

set up an encryption key which he then makes public and keeps his decryption key

private to himself. Now several parties could look up Bob’s encryption key and send

him a message which only he will be able to decrypt. This reduces the number of

keys needed to be generated and remembered tremendously.

A disadvantage of public-key ciphers is that they are much more computationally

costly than symmetric ciphers. A common method which is used in cryptography is

to use a public-key cipher in order to encrypt and send a shared private-key which can

3
then be used for communication using a faster running symmetric cipher. This shared

private-key will be used for a single session of communication and then discarded after

that session is finished.

4
 CHAPTER 2

NUMBER THEORY AND THE RSA CIPHER

2.1 Elementary Number Theory

In this section we will be outlining several topics from number theory which we will

need in order to explore the mathematics behind the cryptographic cipher known as

the RSA Cipher. The RSA Cipher is a wonderful example of a real world application

of the theoretical topics learned in elementary number theory. As you read through

this section you will find that we have omitted much of the material surrounding

the definitions and theorems given, and instead trimmed it down into just the basics

which we will need to recall when we learn the RSA cipher. If you need a more in

depth explanation of any of these topics there are several wonderful resources such

as [3] and [7] referenced at the conclusion of this paper.

Definition 2.1.1. Suppose we have two integers a and b with a 6= 0. If an integer

c exists so that we can write b = ac then we say that a divides b, or that a is a

divisor of b. Often we will use the notation a | b which is read as “a divides b.”

Lemma 2.1.1. Suppose we have two integers a and b with a common divisor d 6= 0.

That is, d | a and d | b, then we will have d | (ra + sb) for any integers r and s.

Proof. Because d is a divisor of both a and b then we can write a = dj and b = dk

for some integers j and k. Then ra + sb = r(dj) + s(dk) = d(rj + sk). Since (rj + sk)

is an integer then it follows that d | (ra + sb).

5
Proposition 2.1.1. Given two non-negative integers a and b, with a 6= 0, there exists

a pair of unique integers q and r with 0 ≤ r < a such that b = aq + r. We call q the

quotient and r the remainder when b is divided by a.

Finding such a quotient and remainder is what we find when performing long

division. After doing long division it is sometimes common to represent the ratio of
b r
b divided by a as = q + , but we can see that this statement is equivalent to the
a a
statement b = aq + r given in the proposition above.

Definition 2.1.2. The greatest common divisor of two non-zero integers a and

b is the largest integer c such that c divides both a and b. This is denoted by gcd

(a, b) = c or sometimes by (a, b) = c, however we will use the former notation in

this text. If the greatest common divisor of a and b is 1 then we say that a and b are

relatively prime.

There is a very useful procedure for computing the greatest common divisor of

two positive integers. It is known as the Euclidean algorithm. Let us suppose we

have two positive integers a and b, with a ≤ b and let d = gcd(a, b). By Proposition

2.1.1, we can write b = aq1 + r1 with 0 ≤ r1 < a. Then because d | a and d | b it

follows that d | r1 , since we can write r1 = b − aq1 . So then d is a common divisor of a

and r1 . Continuing the process, next we write a = r1 q2 + r2 . Now, because d | a and

d | r1 we have d | r2 because we can write r2 = a − r1 q2 . So similarly, we can conclude

that d is also a common divisor of r1 and r2 . Iterating this process we continue until

we obtain an rk+1 = 0. Then we have that d = rk . We can see that the process

will terminate because the remainders are getting smaller with each iteration, but

remain non-negative by definition, so eventually we must reach a remainder of zero.

It should be clear that rk is a common divisor of a and b, but we will omit the proof

that rk is actually the greatest common divisor. Let us do a few examples to better

understand this algorithm.

6
 Example: Find gcd(522, 213). First divide 522 by 213.

522 = 213(2) + 96

Next, divide 213 by the remainder 96 and continue this process.

213 = 96(2) + 21

96 = 21(4) + 12

21 = 12(1) + 9

12 = 9(1) + 3

9 = 3(3) + 0.

So gcd(522, 213) = 3.

Example: Find gcd(1549, 726). Using the Euclidean Algorithm we find,

1549 = 726(2) + 97

726 = 97(7) + 47

97 = 47(2) + 3

47 = 3(15) + 2

3 = 2(1) + 1.

The next remainder we obtain will be zero, so gcd(1549, 726) = 1.

Definition 2.1.3. We say that a number p is prime if it is an integer greater than

1, whose only positive divisors are 1 and itself. An integer greater than 1 which is

not prime is said to be composite.

Theorem 2.1.1. (The Fundamental Theorem of Arithmetic) Given an in-

teger greater than 1 we can write that integer as a unique product of primes (up to

reordering of the factors).

7
 Examples: 10 = 2 · 5, since 2 and 5 are prime. 7800 = 23 · 3 · 52 · 13 because

2, 3, 5, and 13 are prime. 23 = 23 since 23 is a prime number.

Definition 2.1.4. For a positive integer m, which we will call our modulus, we say

that two integers a and b are congruent modulo m if m|(a − b) or equivalently if

a and b have the same remainder when divided by m. Symbolically this is written as

a ≡ b (mod m) which is read as “a is congruent to b mod m.”

Examples: 23 is congruent to 3 modulo 10 since 10 | (23 − 3) = 20. Also we have

59 ≡ −6 (mod 13) because 13 | (59 − (−6)) = 65. We find though, 7 6≡ 3 (mod 5)

since 5 - (7 − 3) = 4.

Definition 2.1.5. Given an integer a and a positive integer n, satisfying gcd(a, n) =

1, we define the multiplicative inverse of a modulo n to be an integer d such

that ad ≡ 1 (mod n). This d is sometimes represented symbolically by d = a−1 .

The Euclidean Algorithm which we described earlier can provide a convenient

way of finding multiplicative inverses modulo n. The way we can do this is by first

using the algorithm to show that gcd(a, n) = 1. We then work backwards through

the equations that were found in order to represent 1 = ad + nc for some integers d

and c. We then will have that the multiplicative inverse of a modulo n is d. This is

because if we consider the equation 1 = ad + nc modulo n then we see:

1 ≡ ad + nc ≡ ad + 0 ≡ ad (mod n).

Let us do a few examples to see how this works.

Example: Find the multiplicative inverse of 9 modulo 32. First let us perform

the Euclidean Algorithm to show that gcd(32, 9) = 1; this is seen in the left hand

column below. At each step we will also solve for the remainder in the equation,

8
which can be seen in the right hand column below. These remainder equations are

then labeled in a reverse ordering for later reference.

32 = 9(3) + 5 → 5 = 32 − 9(3) (iii)

9 = 5(1) + 4 → 4 = 9 − 5(1) (ii)

5 = 4(1) + 1 → 1 = 5 − 4(1) (i)

Now we work backwards through these equations. First we use the last equation (i)

which states 1 = [5 − 4(1)]. Next we use the second to last equation (ii ) to substitute

4 = [9 − 5(1)] into our previous expression. We then distribute and group our terms

to obtain an expression of 1 = 9j + 5k for some integers j and k. Lastly we will

replace 5 = [32 − 9(3)] (iii ) and again group our terms to obtain the desired equation

in terms of 32 and 9.

1 = [5 − 4(1)] (i)

= 5 − [9 − 5(1)] (ii)

= 5 − 9 + 5 distribute

= 9(−1) + 5(2) group terms

= 9(−1) + 2[32 − 9(3)] (iii)

= 9(−1) + 32(2) + 9(−6) distribute

= 32(2) + 9(−7) group terms

Thus we see that 9−1 ≡ −7 ≡ 25 (mod 32). We can confirm this by checking that

9(−7) ≡ −63 ≡ 1 (mod 32).

Example: Find the multiplicative inverse of 726 modulo 1549. Recall earlier we

9
used the Euclidean Algorithm to find that gcd(1549, 726) = 1 by finding:

1549 = 726(2) + 97 → 97 = 1549 − 726(2) (v)

726 = 97(7) + 47 → 47 = 726 − 97(7) (iv)

97 = 47(2) + 3 → 3 = 97 − 47(2) (iii)

47 = 3(15) + 2 → 2 = 47 − 3(15) (ii)

3 = 2(1) + 1 → 1 = 3 − 2(1) (i)

Working backwards through these equations we obtain:

1 = [3 − 2] (i)

= 3 − [47 − 3(15)] (ii)

= −47 + 3(16)

= −47 + 16[97 − 47(2)] (iii)

= 97(16) − 47(33)

= 97(16) − 33[726 − 97(7)] (iv)

= −726(33) + 97(247)

= −726(33) + 247[1549 − 726(2)] (v)

= 726(−527) + 1549(247).

Thus 726−1 ≡ −527 ≡ 1022 (mod 1549).

Definition 2.1.6. The Euler φ-function, φ(n), is defined to be the number of positive

integers less than or equal to n which are relatively prime to n.

Examples: Consider n = 10. We see that the only positive integers k ≤ 10 such

that gcd(k, 10) = 1 are k = 1, 3, 7, 9. Thus we have φ(10) = 4.

Consider n = 7. Then all positive integers strictly less than 7 are relatively prime to

7, since 7 is a prime number. So φ(n) = 7 − 1 = 6.

10
Another example is φ(1) = 1 because the only positive integer k ≤ 1 is k = 1 and

gcd(1, 1) = 1.

Proposition 2.1.2. φ(n) is a multiplicative function. This means that if gcd(a, b) = 1

then φ(ab) = φ(a)φ(b).

We can find a formula for computing φ(n), given the prime factorization of n. We

do this by first considering cases where n is a prime power.

Consider n = p for any prime p. Then we see that all positive integers k < p

satisfy gcd(k, p) = 1. There are p − 1 such k’s thus φ(p) = p − 1.

Consider n = pj where p is any prime and j is any positive integer. The only

integers which will have a common (non-trivial) factor with pj are multiples of p.

The multiples of p less than or equal to pj are: p, 2p, 3p, ..., (pj−1 )p = pj . So we

see that there are pj−1 such multiples. We can then conclude that the number of

positive integers less than or equal to pj which are relatively prime to pj will be
 
j j j−1 j 1
φ(p ) = p − p =p 1− .
p
We can now conclude the following proposition:

Proposition 2.1.3. For a positive integer n where n = pa11 pa22 · · · pakk we have
k  
Y 1
φ(n) = n 1−
i=1
pi

11
Proof. Since φ(n) is multiplicative then we have

φ(n) = φ(pa11 )φ(pa22 ) · · · φ(pakk )

     
a1 1 a2 1 ak 1
= p1 1 − p2 1 − · · · pk 1 −
p1 p2 p
    k 
1 1 1
= pa11 pa22 · · · pakk 1 − 1− ··· 1 −
p1 p pk
    2 
1 1 1
=n 1− 1− ··· 1 −
p1 p2 pk
k  
Y 1
=n 1− .
i=1
pi

Y 1

An alternative way of representing this product is to write φ(n) = n 1− ,
p
p|n
where it is understood that this will mean to index the product over all prime divisors

of n.

Theorem 2.1.2. (Euler’s theorem) For two positive integers n and m which are

relatively prime we have that

mφ(n) ≡ 1 (mod n)

where φ(n) is the Euler φ-function.

Examples: Let n = 10. We saw earlier that φ(10) = 4. Consider m = 3. We

have that gcd(3, 10) = 1 and we can confirm that 34 ≡ 81 ≡ 1 (mod 10).

Let n = 7 and m = 2. Then φ(7) = 7 − 1 = 6, and we have gcd(2, 7) = 1. We can

confirm that 26 ≡ (23 )2 ≡ (8)2 ≡ (1)2 ≡ 1 (mod 7).

It is interesting to point out that Euler’s Theorem is a generalization of Fermat’s

Little Theorem, which states that for any prime p and integer a we have ap ≡ a
12
(mod p). Restricting a to be not divisible by p then makes Fermat’s Little Theorem

equivalent to ap−1 ≡ 1 (mod p) which is the same as Euler’s Theorem in the case that

n is a prime p. Also, for those readers familiar with groups we can see that Euler’s

theorem is a specific case of the fact that in a finite group, the order of an element

of that group divides the order of the group.

2.2 The RSA Cipher

One of the most well known and widely used public-key cipher systems is the RSA

Cipher [1,8]. It is named for its authors Ron Risvest, Adi Shamir, and Leonard Adle-

man who first publicly described the system in 1977. Clifford Cocks, a cryptographer

working for the British government, independently discovered an equivalent encryp-

tion cipher to RSA in 1973, but his work was not declassified until 1997, so Risvest,

Shimir and Adleman are commonly credited with the discovery of the cipher [8]. The

security of this system is based upon the difficulty of factoring large numbers into

their prime factorizations. This cipher is a wonderful example of an application of

elementary number theory topics to the realm of cryptography. The cipher utilizes

topics such as congruences, modular exponentiation, modular multiplicative inverses,

the Euler φ-function, and Euler’s Theorem. We will first explain how the cipher

works and work through an example of its implementation. We then will delve into

some of the mathematics behind how it works.

The RSA Cipher: Bob wishes to establish a public encryption key so that

people may send him encrypted messages which only he can decrypt. To do so,

first Bob will choose two secret large prime numbers, p and q. Bob then forms his

modulus n by computing n = pq. Next, Bob will choose an integer e such that

gcd(e, (p − 1)(q − 1)) = 1. This e will serve as his encryption key. Bob then

computes his decryption key d such that de ≡ 1 (mod (p − 1)(q − 1)). That is, d is

13
the multiplicative inverse of e modulo (p − 1)(q − 1). Bob then makes n and e public,

keeping p, q, and d secret.

If Alice wants to send a secret message to Bob, she will first convert her plaintext

message into an integer m. (Note that if m ≥ n then Alice should break up m into

several blocks which are each smaller than n and send the blocks individually. For

now we will assume m < n). Alice then encrypts her plaintext message m into her

ciphertext c by computing

c ≡ me (mod n)

and choosing the value for c such that 0 < c < n. Alice will send the ciphertext c to

Bob.

In order to read Alice’s message, Bob will then decrypt her ciphertext c by com-

puting

m ≡ cd (mod n)

and choosing the value m which satisfies 0 < m < n.

We will do an example now to see how this cipher will work before we continue

on to explore the mathematics behind why it works.

Example: For this example we will use small numbers in order to simplify the

work. In practice, however, numbers such as the choice of n will need to be on the

order of 10160 . For a few of the computations we will still likely need the use of a

computer.

Bob chooses his prime numbers p = 47 and q = 67 and then computes n = pq =

3149. Next he needs to choose an encryption key e so that gcd(e, (p − 1)(q − 1)) = 1.

We see that since p = 47 and q = 67 then (p − 1)(q − 1) = 3036. Bob chooses e = 5.

We can use the Euclidean Algorithm to verify that gcd(5, 3036) = 1. We write:

3036 = (607)5 + 1
14
 5 = (5)1 + 0.

So indeed we have gcd(5, 3036) = 1. Now Bob must compute his decryption exponent

d by computing d as the multiplicative inverse of e modulo (p − 1)(q − 1). That is,

we need:

d ≡ 5−1 (mod 3036).

Working backwards through the Euclidean Algorithm we see that

3036 + (−607)5 = 1.

Considering this modulo 3036 we see

0 + (−607)5 ≡ 1 (mod 3036)

(2429)5 ≡ 1 (mod 3036).

Thus we have that d = 2429. Bob now has his secret primes p and q, his modulus n,

his encryption key e and his decryption key d. Bob keeps p, q, and d secret, and he

makes n and e public so that Alice can send him an encrypted message.

Suppose Alice wants to send the plaintext message “HI” to Bob. One way Alice

could convert her message into an integer m is to use a basic mapping of A → 01,

B → 02, etc. So she gets “HI” becomes m = 0809 = 809 which is strictly less than

n = 3149. Then Alice takes Bob’s encryption key and computes

c ≡ me (mod n)

obtaining

c ≡ 8095 ≡ 2522 (mod 3149).

An efficient technique for computing powers modulo n is through the technique of

successive squaring. To do this we rewrite the exponent as a sum of powers of 2. So

for the above example we would write 5 = 4 + 1 = 22 + 20 . Then we would compute

8095 ≡ 8094+1 ≡ (8092 )2 (809)1 ≡ (654481)2 (809) (mod 3149).

15
To simplify the process we continually reduce modulo 3149 as we compute multi-

plications. We see that 654481 ≡ 2638 (mod 3149). So by reducing, next we will

obtain:

(654481)2 (809) ≡ (2638)2 (809) ≡ (6959044)(809) ≡ (2903)(809)

≡ 2348527 ≡ 2522 (mod 3149).

So Alice has computed that c ≡ 2522 (mod 3149) and since 0 < 2522 < 3149 she will

choose c = 2522. Alice then sends her cipher text c to Bob.

Bob can now decrypt Alice’s message as

m ≡ cd (mod n)

m ≡ 25222429 ≡ 809 (mod 3149).

He notes that 0 < 809 < 3149 so Bob knows that Alice’s message m must be m = 809.

So we see Bob was able to recover and read Alice’s message “HI”.

This example allows us to see that the RSA cipher works. That is Alice was able

to encrypt her message, send it to Bob, and Bob was then able to properly decrypt

it and read her message. What is not as easy to see is why the cipher works. To see

this we will use several of the number theory topics we have discussed so far.

Let us look at several of the elements of the RSA cipher and figure out why we

chose things to have the described qualities.

Why do we choose e such that gcd(e, (p − 1)(q − 1)) = 1? Looking ahead in

the cipher algorithm we see that the decryption key d is chosen so that d ≡ e−1

(mod (p − 1)(q − 1)). Thus e must have a multiplicative inverse modulo (p − 1)(q − 1),

and recall that this inverse exists if and only if gcd(e, (p − 1)(q − 1)) = 1. Thus we

need this property for e in order to have a decryption key d exist.

16
 Why is it now then that we choose d so that de ≡ 1 (mod (p − 1)(q − 1))? What

is special about (p − 1)(q − 1) when n = pq? Recall Euler’s φ -function. We have

Y 1

that φ(n) = n 1− Where p is prime. Thus for our choice of n = pq where p
p
p|n
and q are primes we see
  
1 1
φ(n) = φ(pq) = pq 1 − 1− = (p − 1)(q − 1).
p q

Then since de ≡ 1 (mod φ(n)) we are able to write de = 1 + kφ(n) for some integer k.

Euler’s Theorem then tells us that for two positive integers, a and n, if gcd(a, n) = 1

then we have aφ(n) ≡ 1 (mod n).

Now consider the following:

k
cd ≡ (me )d ≡ mde ≡ m1+kφ(n) ≡ m1 · mφ(n) ≡ m · 1k ≡ m (mod n).

So indeed, because of the construction of e, d, and c we have proved mathematically

that Bob is able to successfully recover the secret message m.

You may have noticed that Euler’s Theorem has a condition that gcd(a, n) = 1.

But in the RSA cipher we never state that we need m relatively prime to n. In fact,

because of the construction of the RSA algorithm we do not need the condition of

gcd(m, n) = 1. The cipher will still work even if they are not relatively prime. A

curious reader could prove this by following the outline given in Chapter 6, Exercise

19 of [8].

Intuitively we can also discover, however, that the probability of having an m such

that gcd(m, n) 6= 1 is extremely small for our choice of n = pq where p and q are very

large primes. That is because to have gcd(m, n) 6= 1 then we must have that m is a

positive multiple of p or of q. Suppose that we would like to find a random integer k

in the range 0 < k ≤ n = pq. The probability that k will be divisible by p or q will be
q p 1 1 1 1
+ − = + − . That is because the positive multiples of p which are less
pq pq pq p q pq
than or equal to n are p, 2p, 3p, . . . , qp = n. So there are q such possibilities. Similarly
17
the positive multiples of q which are less than or equal to n are q, 2q, 3q, . . . , pq = n.

So there are p such possibilities. We then get the final result by adding up these two

probabilities and subtracting off the overlap (that k = pq = qp = n). So if p and

q are large numbers then the probability of m and n not being relatively prime is

extremely small.

The security of the RSA cipher is based on the difficulty of factoring large integers

into their prime factorization. The decryption key d is easily computed when φ(n)

is known, however φ(n) is not easily know without having the prime factorization

n = pq which is difficult to deduce from knowing only n.

To give a bit of intuition behind this consider that a common way of looking for

prime factors of a number n is to divide n by all of the prime numbers less than
√
or equal to n and see if they divide n. In mathematics there is a prime-counting

function π(x) which estimates the number of primes less than or equal to x. The Prime
x
Number Theorem tells us that is a good approximation for π(x) as x → ∞. So
ln x
√
for a large value of n, we will have that π( n) is a very large number. That would

lead to many divisibility checks needing to be made which would be an extremely

time consuming computational process. This example is certainly not the best way

of attempting to factor n, but it gives some intuition as to why it is hard to factor

n. Even the best known algorithms for attempting to factor n are very “bad” in that

they take an infeasible amount of time to run if n is very large [1, 8].

Something important to notice about the RSA algorithm is how c and m are

chosen after the modular computation has been completed. In order to determine

them we calculate that c ≡ me (mod n) and m ≡ cd (mod n). When we compute

a (mod n) what we are really finding are equivalence classes of numbers which all

have the same remainder when divided by n. This is called the residue class of a

modulo n and can be denoted JaKn . So for example we see that r ≡ 2 (mod 5)

18
is really describing the set of numbers {..., −8, −3, 2, 7, 12, ...} = J2K5 . In the RSA

algorithm, however, what we really want are particular numbers c and m. This is why

we choose c and m so that they lie in the interval (0, n). In doing so we guarantee

the uniqueness of c and m for the use of the cipher. Such a c and m are called the

least positive residue of me (mod n) and cd (mod n) respectively. That is to say,

for example, c is the smallest positive integer in Jme Kn . (Note that based on our

orginal creation of m we will not have c or m equal to 0 in the RSA cipher. In general

settings, however, a residue can be 0 and so the least non-negative residue is used.)

When implementing this in computer coding often we would use b = a % n rather

than using b ≡ a (mod n) and specifying which value of b to choose. The command

a%n returns the least non-negative residue of a (mod n) which is precisely the desired

result.

19
 CHAPTER 3

CRYPTOGRAPHIC SYSTEMS BASED ON THE

DISCRETE LOGARITHM PROBLEM

3.1 The Discrete Logarithm Problem

There is a famous problem in mathematics known as the Discrete Logarithm Problem

(DLP) which has been very well used in the world of cryptography. The DLP has

the potential of being a very difficult problem to solve and so cryptographers have

created ciphers in which cracking the system would require solving the DLP. We will

explain this in greater detail once we define the Discrete Log Problem, but before we

do so, we will explain several preliminary concepts. For more in depth explanations

of any of these topics, readers can reference [3] or [7].

Definition 3.1.1. The multiplicative group of units modulo n, represented by the

notation (Z/nZ)× , is the set of integers, k, with 1 ≤ k < n such that gcd(k, n) = 1,

combined with the operation of multiplication modulo n.

Definition 3.1.2. Given a positive integer n and an integer a satisfying gcd(a, n) = 1

we define the multiplicative order of a modulo n to be the smallest positive integer

k such that ak ≡ 1 (mod n). We will denote this by ordn (a) = k.

Example: Consider n = 9 and find the order of a = 4 modulo 9.

41 ≡ 4 6≡ 1 (mod 9),
20
 42 ≡ 16 ≡ 7 6≡ 1 (mod 9),

43 ≡ (42 )(4) ≡ 7 · 4 ≡ 28 ≡ 1 (mod 9).

So ord9 (4) = 3 since 3 is the smallest positive integer satisfying 4k ≡ 1 (mod 9).

We saw in Chapter 1 (Theorem 2.1.2) that for any a satisfying gcd(a, n) = 1, we

had aφ(n) ≡ 1 (mod n). Thus we can conclude that we must have ordn (a) ≤ φ(n).

A much stronger conclusion can be shown which states that ordn (a) must divide

φ(n). For those familiar with group theory, this can be seen as a specific example of

the order of an element dividing the order of the group since the order of the group

(Z/nZ)× is φ(n). Knowing this fact can make the process of finding the order of an

element much easier. Rather than checking all possible exponents from 1 up to φ(n),

we only need to check those exponents which are divisors of φ(n). For the above

example, we could have determined that ord9 (4) was either 3 or 9 since those are the

only divisors of 9 that are less than or equal to 9 and only checked those values.

Definition 3.1.3. Given a positive integer n we call an integer g a primitive root

modulo n if every integer a which is relatively prime to n can be expressed as g k ≡ a

(mod n) for some positive integer k.

This is the same as saying that g satisfies ordn (g) = φ(n). Thinking of this in

terms of group theory, this would mean that the group (Z/nZ)× is cyclic and that g

is a generator for that group.

It is important to note that in general primitive roots will not exist for all arbitrary

n. The following theorem states for which moduli n a primitive root will exist.

Theorem 3.1.1. Given a positive integer n, a primitive root modulo n will exist if

and only if n is of one of the following forms:

• n = pk for and odd prime p and an integer k with k ≥ 1

21
 • n = 2pk for and odd prime p and an integer k with k ≥ 1

• n = 2, or 4

It is sometimes also included that n = 1 has a primitive root trivially. The main

point which we will take away from this theorem for use in the cryptographic ciphers

we will discuss is that every modulus which is an odd prime will have a primitive

root.

Examples: Consider n = 10. We see that 10 = 2 · 5 and since 5 is an odd prime,

then it follows that there will be a primitive root modulo 10. We will show that

g = 3 is a primitive root modulo 10. The integers less than or equal to 10 which are

relatively prime to 10 are 1, 3, 7, and 9. We see:

31 ≡ 3 (mod 10),

32 ≡ 9 (mod 10),

33 ≡ 27 ≡ 7 (mod 10),

34 ≡ 81 ≡ 1 (mod 10).

So we can see that g = 3 can generate all of the integers relatively prime to 10. We

also see that ord10 (3) = 4 = φ(10).

Consider n = 7. Since 7 is prime then a primitive root will exist. We will show

g = 5 is a primitive root modulo 7. All positive integers strictly less than 7 are

relatively prime to 7 and so for each such integer j there should be an exponent k

such that 5k ≡ j (mod 7). Consider:

51 ≡ 5 (mod 7),

52 ≡ 25 ≡ 4 (mod 7),

53 ≡ (52 )(5) ≡ (4)(5) ≡ 20 ≡ 6 (mod 7),

22
 54 ≡ (53 )(5) ≡ (6)(5) ≡ 30 ≡ 2 (mod 7),

55 ≡ (54 )(5) ≡ (2)(5) ≡ 10 ≡ 3 (mod 7),

56 ≡ (55 )(5) ≡ (3)(5) ≡ 15 ≡ 1 (mod 7).

So indeed 5 is a primitive root modulo 7 and ord7 (5) = 6 = φ(7).

When working with a modulus, n, which we know will have a primitive root, then

we can find a more efficient way to check if g is a primitive root modulo n. Recalling

from above we saw that ordn (a) must be less than or equal to φ(n) and must divide

φ(n). We also had that g was a primitive root modulo n if ordn (g) = φ(n). Thus, we

can check that g is a primitive root modulo n by checking that no proper divisor, k,

of φ(n) satisfies g k ≡ 1 (mod n). That is to say, that no proper divisor of φ(n) is the

order of g modulo n and so we must have ordn (g) = φ(n) so g must be a primitive

root modulo n. Another important note to make is that if ordn (g) = k then we have

g ck ≡ (g k )c ≡ (1)c ≡ 1 (mod n) for any positive integer c. Thus we can use the

following process to check if g is a primitive root modulo n, when given the prime

factoriation of φ(n).

Check if g is a primitive root modulo n: Given φ(n) = pa11 pa22 · · · pakk , for each

i = 1, 2, . . . , k compute g φ(n)/pi (mod n). If g φ(n)/pi 6≡ 1 (mod n) for all i = 1, 2, . . . , k

then g is a primitive root modulo n, otherwise g is not a primitive root modulo n.

This check works much faster than checking all of the proper divisors of φ(n) to see

if they are ordn (g). What we have is that any proper divisor of φ(n) = pa11 pa22 · · · pakk ,

will be a proper divisor of, or equal to, φ(n)/pi for some i = 1, 2, . . . , k. Thus if

ordn (g) is a proper divisor if φ(n) then it will be a divisor of, or equal to φ(n)/pi for

some i = 1, 2, . . . , k, and so we will have g φ(n)/pi ≡ 1 (mod n) for that value of i.

23
 Example: Check that g = 11 is a primitive root modulo p = 71 given that

φ(p) = 70 = 2 · 5 · 7. Check the following:

1170/2 ≡ 70 6≡ 1 (mod 71),

1170/5 ≡ 54 6≡ 1 (mod 71),

1170/7 ≡ 32 6≡ 1 (mod 71).

So we can see that none of the divisors of φ(71) = 70 are the order of 11 modulo 71,

so it must be that ord71 (11) = 70 = φ(71). Thus g = 11 is a primitive root modulo

p = 71.

An interesting point to make here is that trying to find the prime factorization

of φ(n) is a “hard” problem. In fact, if n is not a prime, even finding φ(n) can be

hard because we would need to know the prime factorization of n. We can recall that

the security of the RSA cipher discussed in Section 2.2 was based on the fact that

factoring large numbers was hard. So unless we know φ(n) and its factorization, this

method is not very practical. We will discuss this issue and how it could be handled

in the next section after we discuss the ElGamal Cipher.

Now that we have discussed these preliminary topics, let us discuss the Discrete

Logarithm Problem.

Discrete Logarithm Problem (DLP): Given a positive integer modulus n,

and two positive integers s and t = sm , both reduced modulo n, find m. We call the

smallest positive integer m such that t ≡ sm (mod n) the discrete logarithm base s

of t modulo n.

Example: Find the discrete logarithm base 5 of 2 modulo 7. That is, we want

to find the smallest integer m so that 5m ≡ 2 (mod 7). With a small amount of trial

and error we can find that 54 ≡ 2 (mod 7) so m = 4.

24
 When working in the standard real numbers, solving logarithms is a very well

understood problem. We can use series to accurately solve for or give good approx-

imations for real valued logarithms, and so for a computer this would be considered

an “easy” problem. When working in the finite group of (Z/pZ)× for an odd prime

p, the Discrete Log Problem (DLP) can be a very difficult problem to solve. In par-

ticular if we choose s = g where g is a primitive root modulo p then solving the DLP

becomes extremely difficult, especially as p becomes very large. The intuition behind

why this particular problem is so hard is that since g is a primitive root modulo p

then, by its definition, every integer a which is relatively prime to p can be expressed

as g k ≡ a (mod p) for some positive integer k ∈ [1, φ(p)] where φ(p) = p − 1. Since

p is a large prime then all integers 1, . . . , p − 1 are relatively prime to p. Thus for

a random exponent k ∈ [1, p − 1], g k has an equal probability of being equivalent

modulo p to any a ∈ [1, p − 1]. As p then becomes very large, the probability of

choosing the correct exponent, k, for which g k ≡ t (mod p) for a given integer t is
1
which is extremely small.
p−1
To date, there are no known “fast” algorithms which can solve this DLP [1, 8].

Because of this difficulty, cryptographers have developed ciphers which are based

upon the DLP. That is, they have developed systems in which, in order to crack

the system, one would need to be able to solve the DLP. In the next two sections

we will discuss two different cryptographic ciphers which implement the Discrete Log

Problem, and we will explain the mathematical applications that we can find in them.

3.2 Diffie-Hellman Key Exchange

We can recall from Section 1.2 the difference between public-key ciphers and private-

key ciphers. One benefit of private-key ciphers is that they are often much faster

computationally than public-key ciphers are. So for this benefit they are still widely

25
used for communication. A very real issue can arise, however, when trying to use a

private-key cipher.

Suppose Bob and Alice want to communicate privately using a symmetric cipher.

To do this they both need to know a shared key which will allow them to encrypt

and decrypt the information that they send to one another. But, they currently do

not have any secure way of communicating (it is possible they have never even met

each other before!), so they cannot just publicly discuss what key to use as it might

be overheard and intercepted by Eve the eavesdropper. They need a way to securely

establish a secret shared key which they can use for their private-key cipher without

Eve (who presumably can read/hear all of their current communication) being able

to find out what the key is.

One way that this problem can be solved is with the Diffie-Hellman Key Exchange.

This key exchange was first published by Whitfield Diffie and Martin Hellman in

1976 [1, 8]. The idea is that we can use a type of dual public-key cipher in order to

create a shared key for a private-key cipher. We will explain how this cipher works

and then discuss some of the mathematical applications that we can see are used.

Diffie-Hellman Key Exchange: Suppose Bob and Alice wish to establish a

shared secret key for use in a private-key cipher. They can do so using the following

method.

A large prime number p is chosen and a primitive root g modulo p is chosen. Both

numbers p and g can be made public, and so Alice and Bob can share these with each

other through insecure channels.

Once p and g are established then Alice will choose a secret large integer x and

Bob will choose a secret large integer y. They can choose these such that 1 ≤ x < p−1

and 1 ≤ y < p − 1.

Alice computes X = g x (mod p), chooses the value of X satisfying 0 < X < p,

26
and sends X to Bob. Similarly, Bob computes Y = g y (mod p), chooses the value of

Y satisfying 0 < Y < p, and sends Y to Alice.

Once they have received these messages each of Alice and Bob can compute a

shared private-key K. Alice does this by computing K ≡ Y x (mod p) and Bob does

this by computing K ≡ X y (mod p) and each chooses K such that 0 < K < p. We

can see that they have computed the same key K by observing that

Y x ≡ (g y )x ≡ (g x )y ≡ X y (mod p).

Let us do an example so that we can see how this system works. For our example

we will be using relatively small numbers so that the computations we need to make

do not get out of hand. A true implementation of the Diffie-Hellman Key Exchange

would need to use a very large value of p and would use a computer to carry out all

of the computations.

Example: Bob and Alice agree to use p = 71. They need to find a primitive root

g modulo p = 71. They try g = 11. We have already shown in a previous example

in Section 3.1 that g = 11 is a primitive root modulo p = 71, so we will skip the

computation here.

Alice then chooses her secret integer. She picks x = 12 which is in the interval

[1, 70). Similarly Bob chooses his secret integer y = 47 which is in [1, 70).

Alice computes

X ≡ g x ≡ 1112 ≡ 38 (mod 71).

She chooses X = 38 since 0 ≤ 38 < 71 and sends X = 38 to Bob.

Bob computes

Y ≡ g y ≡ 1147 ≡ 33 (mod 71),

chooses Y = 33 since 0 ≤ 33 < 71, and sends Y = 33 to Alice.

27
 Once Alice receives Bob’s message containing Y = 33 she computes

K ≡ Y x ≡ 3312 ≡ 15 (mod 71)

and determines K = 15 since 0 ≤ 15 < 71.

Similarly once Bob receives Alice’s X = 38 he computes

K ≡ X y ≡ 3847 ≡ 15 (mod 71)

and determines K = 15 since 0 ≤ 15 < 71. Now Bob and Alice have a secret shared

key of K = 15. We won’t discuss how they can use it specifically, but they now

have K as a commonly shared piece of secret information, which they can use as a

private-key for encryption in a symmetric cipher in order to communicate without

Eve being able to decipher what they are saying.

Why is it that the Diffie-Hellman key exchange is secure? That is, if Eve is an

eavesdropper listening in on Bob and Alice’s communications, why is Eve not able to

find K for herself? Eve will be able to know p, g, X and Y since all of these are sent

via insecure communication channels. If Eve wanted to compute K she would need

to compute g xy (mod p). Eve does not know x or y, however, unless she can solve

the discrete logarithm problem to obtain either y from Y ≡ g y (mod p) or x from

X ≡ g x (mod p). Thus the security of the Diffie-Helman key exchange is based on

the difficulty of computing discrete logarithms over finite groups. In particular the

discrete log problem is difficult in the group of units modulo p when the base of the

logarithm, g, is a primitive root modulo p.

Let us consider why it is sufficient for Alice and Bob to choose integers x and y

which lie in the interval [1, p−1). In Chapter 1 we looked at the Euler- φ function and

Euler’s Theorem (Definition 2.1.6 and Theorem 2.1.2). We saw that for a prime p we

had φ(p) = p − 1 and that for any integer a relatively prime to a modulus n, aφ(n) ≡ 1

(mod n). When computing modular exponentiation, then, it is sufficient to consider

28
the exponent modulo φ(n). This is because, for any k we can write k = qφ(n) + r for

an integer q and integer r satisfying 0 ≤ r < φ(n). So then

ak ≡ aqφ(n)+r ≡ (aφ(n) )q (a)r ≡ (1)q (a)r ≡ ar (mod n).

So if, for example, Alice chose x > φ(p) = p − 1 then g x (mod p) would be equivalent
0
to g x (mod p) for some integer x0 in [0, p − 1) with x ≡ x0 (mod p − 1). Alice further

does not want to choose x = 0 since then g x ≡ 1 (mod p) which is not very secure.

So she should choose x in [1, p − 1), and Bob should choose y similarly, in order to

minimize the time it takes them to compute X and Y .

In this key exchange, we see that, Bob and Alice have to compute several modular

exponentiations. To do this efficiently they should use a method such as successive

squaring. Example of how this is done can be seen in the example of the RSA Cipher

in Section 2.2, and in the example of the ElGamal Cipher in the section below.

3.3 ElGamal Cipher

The ElGamal Cipher is another example of a public-key cipher which was developed

by Taher ElGamal in 1985 [1, 8]. It allows a person, say Bob, to publically publish

an encryption key, which another person such as Alice can use to encode a secret

message to send to Bob and only he will have the ability to decode the message. The

security of ElGamal, similar to Diffie-Hellman, is based on the difficulty of solving the

discrete log problem in the multiplicative group (Z/pZ)× . Let us now look at how the

ElGamal Cipher works, after which, we will work through an example which will give

us some good practice applying the number theory concepts we have learned. Then

we will discuss some interesting complications which can arise in the implementation

of both the ElGamal Cipher and the Diffie-Hellman Key Exchange.

ElGamal Cipher: Bob wishes to establish a public-key so that people may send

29
him encypted messages which only he can decrypt. To do this, Bob will choose a

secret large prime p and find a primitive root g modulo p. He then chooses a secret

integer d in the interval [1, p − 1). This value d will serve as his decryption key later.

Bob then computes x ≡ g d (mod p), and chooses x satisfying 0 < x < p. Bob then

publishes (p, g, x) as his encryption public-key.

Alice wants to send a secret message m to Bob. If m ≥ p then she will break up

m into smaller blocks each of which is less than p and encrypt them individually. For

now we will assume 0 < m < p. First Alice will choose her own secret random integer

r and computes k ≡ g r (mod p) choosing k satisfying 0 < k < p. Next she computes

c ≡ xr m (mod p) choosing c satisfying 0 < c < p. Alice sends the pair (k, c) to Bob.

(Note that k is sometimes referred to as a “header” for the message and it serves as

a key for Bob to decrypt Alice’s ciphertext c.)

r
Once Bob receives Alice’s pair (k, c) he first computes k d ≡ (g r )d ≡ g d ≡ xr

(mod p). Then he finds the multiplicative inverse (xr )−1 of xr modulo p. Finally, he

can decrypt Alice’s message by computing the multiplication (xr )−1 · c ≡ m (mod p)

and choosing m satisfying 0 < m < p.

This final decryption step works because we see:

(xr )−1 · c ≡ (xr )−1 · (xr m) ≡ (xr )−1 · xr · m ≡ 1 · m ≡ m (mod p).

Example: Bob chooses p = 1549 as his secret prime, and g = 19 as a primitive

root modulo p. Let us check that g = 19 is in fact a primitive root modulo p = 1549

using the method described in Section 3.1. We see φ(1549) = 1548 and have that

1548 = 22 · 32 · 43. Now check:

191548/2 ≡ 1548 6≡ 1 (mod 1549),

191548/3 ≡ 1273 6≡ 1 (mod 1549),

191548/43 ≡ 425 6≡ 1 (mod 1549).

30
So none of the divisors of φ(p) are the order of 19 modulo 1549, so 19 must satisfy

ord1549 (19) = 1548 = φ(1549) and be a primitive root. Now Bob chooses a secret

integer d in the interval [1, 1548). He chooses d = 23. Next he computes

x ≡ gd (mod p).

An efficient way to compute modular exponentiation is by a process known as

successive squaring. This process will be outlined in the computation bellow. Notice

that with each step we continually are reducing modulo 1549 so that the numbers we

are working with are all relatively small. For more description on successive squaring,

see the example of the RSA cipher in Section 2.2.

4 +22 +2+1
x ≡ 1923 ≡ 1916+4+2+1 ≡ 192 ≡ (((192 )2 )2 )2 · (192 )2 · (19)2 · (19)

≡ (((361)2 )2 )2 · (361)2 · (361)(19) ≡ ((205)2 )2 · (205)(361)(19)

≡ (202)2 (205)(361)(19) ≡ (530)(205)(361)(19)

≡ (220)(361)(19) ≡ (421)(19) ≡ 254 (mod 1549).

Since 0 < 254 < 1549 Bob chooses x = 254. Now Bob can publish his public-key

(p, g, x) = (1549, 19, 254).

Alice wants to send a secret message “OK” to Bob. First she has to convert her

message into an integer. One way she could do this is with a simple substitution of

A → 01, B → 02, etc. So she uses O → 15, K → 11 and obtains m = 1511 which

is less than p = 1549 so she does not need to break up her message. Next she will

choose her own secret integer r in the interval [1, 1548). She chooses r = 5. She then

computes,

k ≡ gr (mod p),

k ≡ 195 ≡ 797 (mod 1549).

31
Since 0 < 797 < 1549 she chooses k = 797. Next she will compute,

c ≡ xr m (mod p),

c ≡ (254)5 (1511) ≡ (726)(1511) ≡ 294 (mod 1549).

She chooses c = 294 since 0 < 294 < 1549. She then sends her message with header

(k, c) = (797, 294) to Bob.

Once Bob receives Alice’s encrypted message he first computes k d (mod p) be-

cause k d ≡ (g r )d ≡ (g d )r ≡ xr (mod p).

k d ≡ (797)23 ≡ 726 (mod 1549).

So Bob has found the same xr = 726 that Alice found. Next Bob will find the multi-

plicative inverse of 726 modulo 1549. To do this he can use the Euclidean Algorithm

and then work backwards. This process is described in Section 2.1, following Defini-

tion 2.1.5. The computation for computing the multiplicative inverse of 726 modulo

1549 can be found in the second example after Definition 2.1.5. Using this computa-

tion, Bob concludes that the inverse of xr = 726 modulo p = 1549 is (xr )−1 = 1022.

To finish his decryption he then computes:

(xr )−1 · c ≡ (1022)(294) ≡ 1511 (mod 1549).

He determines Alice’s message was m = 1511 since 0 < 1511 < 1549. So Bob was

indeed able to receive and decrypt Alice’s message of “OK”.

When the Diffie-Helman key exchange and ElGamal cipher are implemented, a

problem arises with the way in which we have been computing primitive roots. To

determine if g is a primitive root modulo p we have been checking g (p−1)/q 6≡ 1

(mod p) for all prime divisors q of (p − 1) = φ(p). This requires that we know the

32
prime factorization of (p − 1). We have purposefully chosen p to be large, which

means that (p − 1) will be large. This is an issue, because the problem of finding

prime factorizations of large numbers is a difficult problem. In fact, it is the difficulty

of this problem that provided the security of the RSA cipher. So we cannot expect

to be able to do this type of computation easily or quickly.

How then, can we determine a pair p and g so that p is prime and g is a primitive

root modulo p? One way that this could be done [4] is to first choose a product of

primes q1a1 · q2a2 · · · qkak , set (p − 1) = q1a1 · q2a2 · · · qkak , and then check if (p − 1) + 1 = p

is a prime number. If p is not prime, then the factorization of (p − 1) is altered and

the new resulting p is checked for primality. Once we find a p which is a prime, we

have by our construction the prime factorization of φ(p) = (p − 1), so we can now

use the process of choosing a g and checking if it is a primitive root modulo p by the

process described in Section 3.1. By clever choices for (p − 1) we can find a prime p

in a reasonable amount of time.

It also may seem surprising that checking if p is prime is an easier problem than

finding a prime factorization. Primes satisfy many special properties and these prop-

erties can be used to create clever algorithms which check for primality (or sometimes

for compositeness). For example the Rabin-Miller Strong Pseudoprime Test uses facts

from Fermat’s Little Theorem to test probabilistically if a number is prime [10]. This

algorithm runs in “polynomial time” which simply means it is considered to be “fast”

in a computational sense. So checking for primality can be done without having to

try factoring the number into prime factors and is indeed a much easier problem than

prime factorization.

33
 CHAPTER 4

ELLIPTIC CURVE CRYPTOGRAPHY

In the previous chapters we have been looking at several cryptographic ciphers which

were based on the multiplicative group (Z/nZ)× , that is, the multiplicative group of

units modulo n. Several cryptographic ciphers, such as Diffie-Hellman and ElGamal,

can be generalized to be used with other groups. A different group which has become

popular for use in cryptography is the additive group defined by the rational points of

an elliptic curve over a finite field. We will explain further what this group is and how

the group addition works in a moment. For now we will note that for the sake of this

paper, we will not be delving into the study of elliptic curves with any real amount

of depth. We will simply be introducing the group which they can generate, and

observing how this new group can be applied to the area of cryptography. The key

thing to remember is that an elliptic curve over a finite field generates an additive,

finite, abelian group in which we can define the discrete logarithm problem. As

additional resources, readers can reference [6] or [9].

4.1 Elliptic Curves

An elliptic curve, E, is a curve which is given by an equation of the form

E : y 2 = x3 + Ax + B

34
such that the discriminant of the curve is non-zero. That is, we need the curve to be

nonsingular. The discriminant of E as written above is given by ∆ = 4A3 + 27B 2 .

An elliptic curve is often considered over a field. This means that for the curve

E, we will have A, B, x, and y belonging to some field F, and the discriminant of E,

∆ = 4A3 + 27B 2 , to be nonzero as an element of F. This field, for example, could be

R, Q, C, or Fq which is the finite field with q elements where q = pk for some prime

p and positive integer k.

We will run into some problems with the the discriminant of the curve E given

above if our field is of characteristic 2 or 3. If we are working with such a field then

we can use a more general form of a curve given by,

E : y 2 + c1 xy + c2 y = x3 + c3 x2 + c4 x + c5 .

When our field, F, is not of characteristic 2 or 3 then this curve, E, can be

“normalized” to be written in the form given by E. An elliptic curve in the form of

E is often referred to as a curve in Weierstass normal form. We will continue

to use and refer to elliptic curves given by E, in Weierstass normal form, but just be

aware that a generalized form of a curve as given by, E, could be used.

Elliptic curves over finite fields are very useful in application to cryptography. In

general any finite field, Fq , could be used. For the examples this paper we will often

choose to work in Fp , where p is an odd prime. This is because the field structure

for a general q can be rather difficult to work with, whereas, the structure of the

field Fp simply requires us to work modulo p which will simplify our explanations and

examples nicely.

Once we have a curve E over a field, we can form an additive group from the set

of points on the curve. A point on an elliptic curve over a field is defined to be a

point (x, y) which is a solution to the equation given by E (denoted by (x, y) ∈ E),

and satisfies that both x and y are elements of the field. There additionally will be a
35
point O, which is the point “at infinity”, which will be on every curve. The derivation

of this point O comes from projective geometry, and we will skip it for this paper

as it veers to far away from our desired discussions. Thus, we can define the set of

points on the curve E over the field F by

E(F) = {O, (x, y) ∈ E | x, y ∈ F}.

Such points are often referred to as the rational points of the curve. We will discuss

how a group law is defined for such a set in a moment, but first let us give an example

of finding rational points on an elliptic curve over a finite field.

e : y 2 = x3 + x + 1 over the finite
Example: Let us consider the elliptic curve E

field F5 . We wish to find all of the rational points of the curve. We know that we
e 5 ) = {O, (x, y) ∈ E
will have E(F e | x, y ∈ F5 }. So to find all such points (x, y) we

can plug in each of the elements of F5 in for x and determine which yield a square

in F5 . Before we do that let’s find what the squares in F5 are. Recalling that we are

working modulo 5, we have:

02 = 0, 12 = 1, 22 = 4, 32 = 4, and, 42 = 1.

So the squares in F5 are 0, 1, and 4. Now plug in x = 0, 1, 2, 3, 4 into the right hand

side of E
e and see if the result is a square. (Remember, for all of our computations in

F5 we work modulo 5).

03 + 0 + 1 = 1 (1 = 12 or 42 )

13 + 1 + 1 = 3 not a square

23 + 2 + 1 = 3 + 2 + 1 = 1 (1 = 12 or 42 )

33 + 3 + 1 = 2 + 3 + 1 = 1 (1 = 12 or 42 )

43 + 4 + 1 = 4 + 4 + 1 = 4 (4 = 22 or 32 )

e 5 ) = {O, (0, 1), (0, 4), (2, 1), (2, 4), (3, 1), (3, 4), (4, 2), (4, 3)}.
Thus we have E(F
36
 An additive group operation can be defined for E(F). The way in which the

addition law is defined is found through a geometric construction involving drawing

lines through rational points. For our needs, however, let us just look at a specific

case. We will give the resulting formulas which are used for E(Fq ) where E is the

curve given by y 2 = x3 + Ax + B and Fq is the finite field with q elements, where

q = pk for an odd prime p and positive integer k [5].

Addition Law for E(Fq ):

To add two points P1 and P2 in E(Fq ) there several main cases:

• First case

 If P1 = O then P1 + P2 = O + P2 = P2 . (Similarly if P2 = O.)

• For the rest of the cases, let us assume that neither P1 nor P2 are equal to O.

 If P1 6= P2 and x1 = x2 then we have P1 + P2 = O.

 Also if P1 = P2 and y1 = y2 = 0 then we have P1 + P2 = 2P1 = O

• For the next two cases we will define a λ and an υ which will then be used to

compute P1 + P2 .

 If P1 6= P2 and x1 6= x2 then let

λ = (y2 − y1 )(x2 − x1 )−1 and υ = (y1 x2 − y2 x1 )(x2 − x1 )−1 .

 If P1 = P2 and y1 6= 0 then let

λ = (3x21 + A)(2y1 )−1 and υ = (−x31 + Ax1 + 2B)(2y1 )−1 .

 Then, for both of these cases, we have P1 + P2 = (λ2 − x1 − x2 , −λ3 +

λ(x1 + x2 ) − υ).

37
In all of the above calculations it is important to remember that the values we are

working with are all to be considered as elements of the finite field Fq . If we have

q = p for an odd prime p then in all of the computations we can continually be

reducing modulo p, and the value of (n)−1 is the multiplicative inverse of n modulo

p.

Another important note to make is that the calculations above are specific to

the curve E : y 2 = x3 + Ax + B. There is a general process through which these

calculations were derived which could be used to calculate an explicit addition rule

for other elliptic curves. We will skip the discussion of this process since we do not

need to know it to understand the cryptographic applications which we are interested

in discussing. An interested reader can learn more about this process from [6].

It can be shown that the set E(Fq ) under the additive operation gives a finite

abelian group. This group has its identity element as O, and the additive inverse of

the point P = (x, y) is −P = (x, −y), where −y is the additive inverse of y in Fq .

For the specific case described above, in which we gave instructions on how to add

two points in E(Fq ), it is a fairly simple exercise to show these two facts as well as to

show that the addition described is commutative. It is not as easy so show that the

addition is associative, which is necessary as a group property, however with a bit of

work and a lot of cases it can be proved that it is.

Let us take a look at an example of how to add points on an elliptic curve over a

finite field.
e : y 2 = x3 +x+1 over the finite field
Example: Recall that for the elliptic curve E
e 5 ) = {O, (0, 1), (0, 4), (2, 1), (2, 4), (3, 1), (3, 4), (4, 2), (4, 3)}. Let’s
F5 , we found E(F

practice adding some of these points using the rules described above. (Remember

that because we are working in F5 , our numerical computations are all made modulo

5.)

38
 • Add O to O: O + O = O.

• Add O to (0, 4): O + (0, 4) = (0, 4).

• Add (3, 1) to (3, 4): The points are not equal, but the x coordinates are, so

these points are inverses of one another and we have (3, 1) + (3, 4) = O.

• Add (0, 1) to (2, 4): We have (0, 1) 6= (2, 4) and 0 6= 2 so let

λ = (4 − 1)(2 − 0)−1 = (3)(2)−1 = (3)(3) = 4

and υ = (1 · 2 − 4 · 0)(2 − 0)−1 = (2)(3) = 1.

Then (0, 1) + (4, 2) = (42 − 0 − 2, −43 + 4(0 + 2) − 1) = (4, 3).

• Add (0, 1) to (4, 2): We have (0, 1) 6= (4, 2) and 0 6= 4 so let

λ = (2 − 1)(4 − 0)−1 = (1)(4)−1 = (1)(4) = 4

and υ = (1 · 4 − 2 · 0)(4 − 0)−1 = (4)(4) = 1.

Then (0, 1) + (4, 2) = (42 − 0 − 4, −43 + 4(0 + 4) − 1) = (2, 1).

• Add (0, 1) to (0, 1): Since the two points are equal and y 6= 0 then let

λ = (3 · 02 + 1)(2 · 1)−1 = (1)(3) = 3

and υ = (−03 + 1 · 0 + 2 · 1)(2 · 1)−1 = (2)(3) = 1.

Then (0, 1) + (0, 1) = 2(0, 1) = (32 − 0 − 0, −33 + 3(0 + 0) − 1) = (4, 2).

When considering an elliptic curve over a finite field, we can also define the discrete

logarithm problem for the group E(Fq ).

Elliptic Curve Discrete Logarithm Problem (ECDLP): Given two points

S and T = mS in E(Fq ), find m. We call the smallest positive integer m such that

T = mS in E(Fq ) the discrete logarithm base S of T in E(Fq ).

39
 Recall that in (Z/nZ)× , the discrete logarithm was described through exponentia-

tion, whereas now for E(Fq ) it is described through multiplication by an integer. This

is because for (Z/nZ)× the operation being performed is multiplicative, whereas for

E(Fq ) it is additive. For a multiplicative group, repeated operations are expressed via

exponentiation. For example x · x · x = x3 . But for an additive group, repeated opera-

tions are expressed through multiplication by an integer. For example x + x + x = 3x.

So the representation of the discrete logarithm is altered slightly in this new context

to account for this difference.

In order to use elliptic curves in the area of cryptography we again make use of

the difficulty of the discrete logarithm problem, as was done in Chapter 3. In order to

make this successful the implementation must make use of elliptic curves over finite

fields which create a group in which the ECDLP is actually hard. For certain “bad”

curves, the ECDLP will be too easy to solve and would compromise the security of

the cipher. An example of this would be if the group E(Fp ) has exactly p elements. In

this case there is a homomorphism from E(Fp ) to the additive group Z/pZ (integers

modulo p) and solving the discrete log problem in Z/pZ is an easy problem since we

know how to find multiplicative inverses modulo p [5]. So such a curve would not be

a very good choice to use for a cryptographic cipher.

For most elliptic curves, however, the fastest known algorithms for solving the

ECDLP are extremely slow, and for large enough values of q in E(Fq ) running such

algorithms would be infeasible [5]. There has been a lot of study as to which curves

are best to use and these curves are used when the ciphers we will discuss are actually

implemented.

A benefit of using elliptic curves in cryptography is that these ciphers can use

smaller key sizes and message sizes while still offering the same level of security as

ciphers using (Z/pZ)× . This can cause them to run faster and be more efficient.

40
4.2 Diffie-Hellman Key Exchange for Elliptic Curves

In Section 3.2 we learned about the Diffie-Hellman Key Exchange for the multiplica-

tive group (Z/nZ)× . The same algorithm can be redefined to instead use the additive

group E(Fq ) [9]. The implementation of these two versions will look very different

because working in E(Fq ) is very different than working in (Z/nZ)× . However, if

we compare the algorithms for the two versions, we will discover that they have the

exact same structure. The differences which we can see are only a result of the dif-

ferences in the way in which repeated operations are expressed and computed in the

two different groups.

Diffie-Hellman Key Exchange for Elliptic Curves: Suppose Bob and Alice

wish to establish a shared secret key for use in a private-key cipher. They can do so

using the following method.

Alice and Bob choose an elliptic curve E over a finite field Fq . Next they choose

a rational point on the curve, P , so that P has a large order in the group of rational

points, E(Fq ). E, Fq and P can be sent through insecure channels.

Once these have been chosen, Alice will choose a secret integer w and compute

W = wP as a point in E(Fq ), and then send W to Bob. Similarly Bob will choose a

secret integer z and then compute Z = zP as a point in E(Fq ), sending Z to Alice.

Bob and Alice can then compute their shared key as follows. Alice computes

K = wZ and Bob computes K = zW as points in E(Fq ). They can then use some

agreed upon number derived from this point such as the value of the x coordinate as

their shared key. They will be sure to obtain the same point K because we have:

wZ = w(zP ) = wzP = zwP = z(wP ) = zW.

e : y 2 = x3 + x + 1 over the
Example: Bob and Alice decide to use the curve E

41
finite field F5 . They also choose to use the point P = (0, 1). Recall that in our

examples in Section 4.1, we found

e 5 ) = {O, (0, 1), (0, 4), (2, 1), (2, 4), (3, 1), (3, 4), (4, 2), (4, 3)}.
E(F

We also found in our previous examples in Section 4.1 that in this group, 2(0, 1) =

(4, 2) and that 3(0, 1) = (0, 1) + (4, 2) = (2, 1). If we continued to compute these

additions we would find that the point P = (0, 1) is a generator of the group E(F
e 5)

because we have:

P = (0, 1) 2P = (4, 2) 3P = (2, 1)

4P = (3, 4) 5P = (3, 1) 6P = (2, 4)

7P = (4, 3) 8P = (0, 4) 9P = O.

So P = (0, 1) has order 9 in the group E(F

e 5 ).

The information E,
e Fq and P can be sent back and forth between Alice and Bob

using insecure channels. To send this they could just send cetain key information

in a pattern which would be understood. For example Alice could send Bob the

combination (q, A, B, x, y) = (5, 1, 1, 0, 1) and he would then know that they are
e : y 2 = x3 + Ax + B = x3 + x + 1
using Fq = F5 as their finite field with the curve E

and the point P = (x, y) = (0, 1).

Alice now chooses her secret integer w and computes W = wP . She chooses w = 2

and so W = 2P = (4, 2) (we know this based on the table we gave above). She sends

this point W = (4, 2) to Bob.

Similarly, Bob chooses his secret integer z and computes Z = zP . Bob chooses

z = 6 and computes Z = 6P = (2, 4), sending this point Z to Alice.

When Alice receives Bob’s Z she computes K = wZ = 2(2, 4). Similarly once Bob

received Alice’s W he would compute K = zW = 6(4, 2). They would do this using

the addition rules described in Section 4.1. We will skip showing these additions since
42
it would require a fair amount of work, and tell you that K = (2, 1). We can check

this because we as readers (who know all of the information, including both Alice’s

and Bob’s secret integers) can find that:

• For Alice: K = 2Z = 2(6P ) = 12P = 9P + 3P = O + 3P = 3P = (2, 1).

• For Bob: K = 6W = 6(2P ) = 12P = (2, 1).

So Alice and Bob now both have a shared point K = (2, 1) from which they can

obtain a secret shared key.

4.3 ElGamal Cipher for Elliptic Curves

In Section 3.3 we discussed a public-key encryption system known as the ElGamal

Cipher. When originally described the cipher uses the finite multiplicative group of

(Z/nZ)× . Similar to the Diffie-Hellman Key Exchange, the ElGamal Cipher can be

restated to use the additive group E(Fq ) [9]. Let us now look at how the cipher works

using elliptic curves.

ElGamal Cipher for Elliptic Curves: Bob wishes to establish a public-key so

that people may send him encrypted messages which only he can decrypt. To do so,

Bob chooses an an elliptic curve E over a finite field Fq . Then he chooses a rational

point P on E, so that P has a large order in the group of rational points, E(Fq ).

Next he chooses a secret integer d and computes X = dP as a point in E(Fq ). Bob

then publishes the information E, Fq , P , and X as his public encryption key.

Alice wants to send Bob a secret message, so she first expresses her message as

a point M in the group E(Fq ). Then Alice chooses her own secret integer r and

computes K = rP as a point in E(Fq ). Next she will compute C = rX + M as a

point in E(Fq ). Alice will then send the information pair, K and C to Bob.

43
 Once Bob receives this information from Alice, he will first compute dK =

d(rP ) = drP = rdP = r(dP ) = rX. Next he finds (−rX). This is the additive

inverse of rX and by the construction of the group we know that this will be ob-

tained by finding the additive inverse of the y coordinate of the point rX in Fq . Once

he has (−rX), Bob then decrypts Alice’s message by computing M = C + (−rX) as

a point in E(Fq ).

This final decryption works because we have:

C + (−rX) = rX + M + (−rX) = M + rX + (−rX) = M + O = M.

This cipher requires us to express a message as a point on an elliptic curve. It may

be confusing as to how this could be accomplished. There are many possible ways

that a message could be imbedded as a point in E(Fq ). We will give one example of

how this can be done for a restricted family of curves [2].

Suppose we have a curve E : y 2 = x3 + Ax + B over the finite field Fp for a

large prime p satisfying p ≡ 3 (mod 4). First represent the plaintext message as an
p
integer m in the range 0 ≤ m < − 1. Try appending three digits to the end
1000
of the integer m to create a new integer x. We hope to find an x in the range of

1000m ≤ x < 1000(m + 1) < p, satisfying that x3 + Ax + B is a square in Fp . That

is that x will be part of a solution to the equation defining E. If the x we obtain

after appending digits to m does not satisfy these conditions, then we try appending

three different digits to the end of m to obtain a different x and check the conditions

again. We will do this until we obtain an x which works. Once we have such an x,

we then can choose P to be a rational point in E(Fp ) given by P = (x, y) where y is

such that y 2 = x3 + Ax + B. There may be two choices for y but it will not matter

which you choose. To then reobtain the message m we simply drop the last three

digits from the coordinate x. This imbedding is called “probabilistic” because there

44
is an extremely small probability that x3 + Ax + B will be nonsquare for all x in

1000m ≤ x < 1000(m + 1) < p. Thus the imbedding will nearly always work.

4.4 The Elliptic Curve Digital Signature Algorithm

A signature is a common concept in the world of paper and pens in order to validate

a person’s identity and approval of a document. When we shift into the world of

sending messages and documents through electronic sources the simple concept of a

person’s signature becomes a very tricky problem.

Suppose Alice is sending Bob a message and she wants to sign it so that Bob

knows that it came from her and she approves its contents. How can Alice sign

her message which is no longer a traditional document, but has now been converted

electronically into some sort of integer? A naive solution would be to make a digital

copy of Alice’s signature and send it off to Bob along with her message. This causes an

issue, though, because our eavesdropper Eve could get her hands on Alice’s digitized

signature and start sending out messages with Alice’s signature, masquerading as

Alice. The recipients of these fake messages sent by Eve would have no way of

knowing that these documents were not in fact authentic. This could cause a lot of

problems for Alice! So Alice needs a way to create a digital signature which is directly

tied to her document so that only she can use it. That way, the signature cannot be

separated from the document and reused with another message.

One algorithm which can be used to solve this problem is the Digital Signature

Algorithm (DSA). The original version of the DSA was formed using multiplicative

groups such as (Z/nZ)× , but a new version has recently been created to be used with

elliptic curves. This new version is known as the Elliptic Curve Digital Signature

Algorithm (ECDSA) [9]. We will now take a look at how this algorithm works.

ECDSA: Alice is sending a message to Bob and she wants to be able to sign her

45
document so that Bob can ensure its authenticity. In order to do this, Alice will choose

an elliptic curve E over a finite field Fq . These should satisfy that #E(Fq ) = nr,

where r is a large prime number and n is a small integer. n should be chosen as a

small integer to help keep the algorithm efficient, common choices are n = 1, 2, or

4. Then Alice chooses a point P in E(Fq ) which has order r. Next, Alice chooses a

secret integer a and she computes Q = aP . She makes public Fq , E, r, P, and Q.

To sign her message m, where m is an integer representation of her actual message,

she first shooses a random integer k with 1 ≤ k < r and computes R = kP = (x, y).

Once she has this she computes s = k −1 (m + ax) (mod r) and chooses s satisfying

0 ≤ s < r, where k −1 is the multiplicative inverse of k modulo r. Her signed document

is then the triple (m, R, s).

When Bob receives the document from Alice he can verify her signature by com-

pleting the following steps. First he computes u1 = s−1 m (mod r) and chooses u1

satisfying 0 ≤ u1 < r. He then computes u2 = s−1 x (mod r) and chooses u2 sat-

isfying 0 ≤ u2 < r, where s−1 is the multiplicative inverse of s modulo r. He then

computes V = u1 P + u2 Q. He determines that the signature is valid if he finds

V = R.

We can find that this verification holds by considering that:

V = u1 P + u2 Q = (s−1 m)P + (s−1 x)Q = s−1 mP + s−1 xaP = s−1 (m + xa)P

= (k −1 (m + xa))−1 (m + xa)P = k(m + ax)−1 (m + ax)P = kP = R.

The notation above may be slightly confusing. What we find is that since the

order of P is r then when we compute nP we can reduce n modulo r and the result

will remain the same. This is because if we write n = qr + n0 then we find that

nP = (qr + n0 )P = qrP + n0 P = q(rP ) + n0 P = qO + n0 P = O + n0 P = n0 P.

46
Thus by using multiplicative inverses modulo r we can obtain the desired reductions.

So the last few steps of the verification of the DSA work because we have that

(m + ax)−1 (m + ax) ≡ 1 (mod r) so k(m + ax)−1 (m + ax)P = k(1)P = kP = R.

The security of the ECDSA is based on the Elliptic Curve Discrete Logarithm

Problem. Say evil Eve wants to masquerade as Alice and send a document with

Alice’s signature on it. Eve would need to be able to produce a signature triple

(m, R, s) which are consistent with Alice’s publicly published information Fq , E, r, P,

and, Q. Eve will be able to create her own message m and the point R = (x, y) by

using Alice’s published point P and choosing her own secret integer k. Eve won’t be

able to sign this message validly, however, unless she can create the corresponding

s value to her m and R. In order to do this Eve must compute s = k −1 (m + ax).

But, recall that a was Alice’s secret integer. So Eve would need to know a in order

to masquerade as Alice. Eve knows, P and Q = aP , so in order to find a Eve would

need to be able to solve the ECDLP.

It is worth noting that this algorithm is not a way to encrypt Alice’s message. If

Alice wishes to keep the contents of the message she is sending a secret, she must first

encrypt the message using a cipher such as the ones we have discussed previously.

This encryption could result in her message being a very large number which would

make the computations of the ECDSA very complicated and time consuming. As a

result a common practice is to sign a hash of the message instead. A hash function

is a type of function in computer science which takes inputs of a very large size and

outputs a value of a small fixed length. So for example Alice’s message might be

billions of bits long, but the hash of her message could be just 160 bits. This will

greatly cut down on the computing time of creating and verifying a signature for her

message.

If Alice and Bob agreed to do this then they would first need to agree on a hash

47
function to use. Alice would then take her message m and compute its hash value

h. When signing her document she would use h in all of the computations instead of

m. She then could still send Bob the triple (m, R, s) and when Bob received this he

would know to use the agreed upon hash function to find the hash value h of m to

use in his verification computations. This way Bob receives Alice’s message and has

a way of validating its authenticity.

48
 BIBLIOGRAPHY

[1] Paul Garrett. Making, Breaking Codes: An Introduction to Cryptology. Prentice

Hall, Upper Saddle River, New Jersey, 2001.

[2] Neal Koblitz. Elliptic curve cryptosystems. Math. Comp., 48(177):203–209,

1987.

[3] William J. LeVeque. Fundamentals of Number Theory. Dover Publications,

Inc., New York, 1977.

[4] Victor Shoup. A Computational Introduction to Number Theory and Algebra.

Cambridge University Press, 2008.

[5] Joseph H. Silverman. An Introduction to the Theory of Elliptic Curves, 2006.

Slides of a summer school on Computational Number Theory and Applications
to Cryptography at University of Wyoming.
http://www.math.brown.edu/ ∼ jhs/Presentations/WyomingEllipticCurve.pdf.

[6] Joseph H. Silverman and John Tate. Rational Points on Elliptic Curves.
Springer-Verlag, New York, 1992.

[7] Harold M. Stark. An Introduction to Number Theory. The MIT Press, Cam-
bridge, Massachusetts, 1970.

[8] Wade Trappe and Lawrence C. Washington. Introduction to Cryptography with

Coding Theory. Pearson Prentice Hall, Upper Saddle River, New Jersey 07458,
2006.

[9] Lawrence C. Washington. Elliptic Curves: Number Theory and Cryptography.

Chapman & Hall/CRC, Boca Raton, 2003.

[10] Eric W. Weisstein. Rabin-Miller Strong Pseudoprime Test. From Math-

World – A Wolfram Web Resource. http://mathworld.wolfram.com/Rabin-
MillerStrongPseudoprimeTest.html.

49