Prime Numbers

394 Chapter 8 THE UBIQUITY OF PRIME NUMBERS
(x0,y0) =[u1]P +[u2]Q;
v = x0 mod r;
if(v == R) Bob accepts signature;
else Bob rejects signature;
This algorithm is modeled on an older DSA standard, and amounts to the
natural elliptic-curve variant of DSA. Modern details and issues are discussed
in [Johnson et al. 2001]. The hash value h(M) is, technically speaking,
supposed to be effected via another standard, the SHA-1 hash function [Juriˇsić
and Menezes 1997]. Those authors also discuss the interesting issue of security.
They conclude that a 1024-bit DSA system is about as secure as a 160-bit
ECDSA system. If valid, such an observation shows once again that, on our
current knowledge, the EDL problem is about as hard as a computational
number-theoretical problem can be.
The current record for an EDL computation pertains to the “Certicom
Challenge,” for which an EDL was solved in 2002 by C. Monico et al. for
an elliptic curve over Fp with p being a 109-bit prime. The next challenge
of this type on the list is a 131-bit prime, but under current knowledge of
EDL difficulty, the 131-bit case is perhaps two thousand times harder than
the 109-bit case.
Incidentally, there is a different way to effect a signature scheme with
elliptic curves, which is the El Gamal scheme. We do not write out the
algorithm—it is less standard than the above ECDSA scheme (but no less
interesting))—but the essentials lie in Algorithm 8.1.10. Also, the theoretical
ideas are found in [Koblitz 1987].
We have mentioned, in connection with RSA encryption, the practical
expedient of using the sophisticated methods (RSA, ECC) for a key exchange,
then using the mutually understood key in a rapid block cipher, such as DES,
say. But there is another fascinating way to proceed with a kind of “direct”
ECC scheme, based on the notion of embedding plaintext as points on elliptic
curves. In this fashion, all encryption/decryption proceeds with nothing but
elliptic algebra at all phases.
Theorem 8.1.9 (Plaintext-embedding theorem). For prime p > 3 let E
denote an elliptic curve over Fp, with governing cubic
y 2 = x 3 + ax + b.
Let X be any integer in [0,p− 1]. Then X is either an x-coordinate of some
point on E, or on the twist curve E ′ whose governing cubic is gy 2 = x 3 +ax+b,
for some g with g
p = −1. Furthermore,ifp≡ 3(mod4), and we assign
s = X 3 + aX + b mod p,
Y = s (p+1)/4 mod p,
then (X, Y ) is a point on either E,E ′ , respectively, as
Y 2 ≡ s, −s (mod p),