Elliptic Curve Cryptography
KellyBresnahan
8,612 views
102 slides
Sep 26, 2016
Slide 1 of 102
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
About This Presentation
No description available for this slideshow.
Slide Content
Elliptic Curve Cryptography
Kelly Bresnahan
March 24, 2016
Kelly Bresnahan
March 24, 2016
Table Of Contents
1
Elliptic Curve Cryptography (ECC)
Introduction
Pros and Cons of Elliptic Curves
Denition of an Elliptic Curve
Operations on Elliptic Curves
Hasse's Bound
Representing Plaintext
Elliptic Curve Die-Hellman Key Exchange
ElGamal Digital Signatures using Elliptic Curves
Identity-Base Encryption Using ECC
1
Elliptic Curve Cryptography (ECC)
Introduction
Pros and Cons of Elliptic Curves
Denition of an Elliptic Curve
Operations on Elliptic Curves
Hasse's Bound
Representing Plaintext
Elliptic Curve Die-Hellman Key Exchange
ElGamal Digital Signatures using Elliptic Curves
Identity-Base Encryption Using ECC
Introduction
Miller and Koblitz (independently) introduced elliptic
curves into cryptography in the mid-1980s
Elliptic Curve Cryptography algorithms entered wide use
between 2004 and 2005
Based on thediscrete logarithm problem, i.e.
determining an integer 1kp1 such that
g
k
=b(modp)
Miller and Koblitz (independently) introduced elliptic
curves into cryptography in the mid-1980s
Elliptic Curve Cryptography algorithms entered wide use
between 2004 and 2005
Based on thediscrete logarithm problem, i.e.
determining an integer 1kp1 such that
g
k
=b(modp)
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system
160-256 bit vs 1024-3072 bit Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key
The energy needed to break an RSA key is much smaller
than an ECC key
Cons Security is achieved only if cryptographically strong elliptic
curves are used
Denition of Elliptic Curves
Denition:Anelliptic curveis the graph of the equation
E:y
2
=x
3
+ax
2
+bx+c
wherea,b, andcare elements from the base eldKof
characteristic not equal to 2.
Note:We'll also include the point (1;1), denoted1
Denition:Anelliptic curveis the graph of the equation
E:y
2
=x
3
+ax
2
+bx+c
wherea,b, andcare elements from the base eldKof
characteristic not equal to 2.
Note:We'll also include the point (1;1), denoted1
Examples of Elliptic Curves overR
Figure: y
2
=x
3
+xFigure: y
2
=x
3
+ 73
Figure: y
2
=x
3
+xFigure: y
2
=x
3
+ 73
Operations on Elliptic Curves
Point Addition
Point Addition
Operations on Elliptic Curves (cont)
Point Doubling
Point Doubling
Operations on Elliptic Curves (cont)
How do we add a pointPwith1?
How do we add a pointPwith1?
Operations on Elliptic Curves (cont)
How do we add a pointPwith1?
How do we add a pointPwith1?
Operations on Elliptic Curves (cont)
Therefore, the points onEform an abelian group under
addition where
1
1is the additive identity
2
The inverse of the pointP= (x;y) isP= (x;y)
3
PQ=P+ (Q)
Therefore, the points onEform an abelian group under
addition where
1
1is the additive identity
2
The inverse of the pointP= (x;y) isP= (x;y)
3
PQ=P+ (Q)
Elliptic Curve inR
Same Curve (modp)
Adding Points on E
SupposeEis dened asy
2
x
3
+ 4x+ 4 (mod 5).
LetP1= (1;2) andP2= (4;3). Then
(1;2) + (4;3) = (4;2)
SupposeEis dened asy
2
x
3
+ 4x+ 4 (mod 5).
LetP1= (1;2) andP2= (4;3). Then
(1;2) + (4;3) = (4;2)
Doubling Points on P
SupposeEis dened asy
2
x
3
+ 2x+ 2 (mod 17).
LetP= (5;1). Then
2P= (6;3)
SupposeEis dened asy
2
x
3
+ 2x+ 2 (mod 17).
LetP= (5;1). Then
2P= (6;3)
Addition Law
IfEis given byE:y
2
=x
3
+bx+c(modp) we dene
(x3;y3) = (x1;y1) + (x2;y2)
as
x3=s
2
x1x2(modp) and
y3=s(x1x3)y1(modp)
where
s=
8
>
<
>
:
y2y1
x2x1
(modp);ifP6=Q
3x1+b
2y1
(modp);ifP=Q
IfEis given byE:y
2
=x
3
+bx+c(modp) we dene
(x3;y3) = (x1;y1) + (x2;y2)
as
x3=s
2
x1x2(modp) and
y3=s(x1x3)y1(modp)
where
s=
8
>
<
>
:
y2y1
x2x1
(modp);ifP6=Q
3x1+b
2y1
(modp);ifP=Q
Cardinality
Question:What is the order of the group (E;+) (modp), i.e.
how many point are onE?
Hasse's Bound:Given an elliptic curveEmodulop, the
number of points onE, denoted #E, is bounded by
p+ 12
p
p#Ep+ 1 + 2
p
p
Question:What is the order of the group (E;+) (modp), i.e.
how many point are onE?
Hasse's Bound:Given an elliptic curveEmodulop, the
number of points onE, denoted #E, is bounded by
p+ 12
p
p#Ep+ 1 + 2
p
p
Cardinality
Question:What is the order of the group (E;+) (modp), i.e.
how many point are onE?
Hasse's Bound:Given an elliptic curveEmodulop, the
number of points onE, denoted #E, is bounded by
p+ 12
p
p#Ep+ 1 + 2
p
p
Question:What is the order of the group (E;+) (modp), i.e.
how many point are onE?
Hasse's Bound:Given an elliptic curveEmodulop, the
number of points onE, denoted #E, is bounded by
p+ 12
p
p#Ep+ 1 + 2
p
p
Elliptic Curves (modp)
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curveEand two pointsAandBonE, the
discrete log problem for elliptic curves is nding an integer
1d#Esuch that
P+P+ +P
| {z }
d times
=dP=T
In cryptosystemsdis the private key andTis the public key
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curveEand two pointsAandBonE, the
discrete log problem for elliptic curves is nding an integer
1d#Esuch that
P+P+ +P
| {z }
d times
=dP=T
In cryptosystemsdis the private key andTis the public key
Elliptic Curves (modp)
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curveEand two pointsAandBonE, the
discrete log problem for elliptic curves is nding an integer
1d#Esuch that
P+P+ +P
| {z }
d times
=dP=T
In cryptosystemsdis the private key andTis the public key
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curveEand two pointsAandBonE, the
discrete log problem for elliptic curves is nding an integer
1d#Esuch that
P+P+ +P
| {z }
d times
=dP=T
In cryptosystemsdis the private key andTis the public key
Representing Plaintext
We need a method for encoding a message as point on an
elliptic curve.
The Bad News:Currently there is no known polynomial time,
deterministic algorithm for writing points on an arbitrary
elliptic curve.
The Good News:There are fast probabilistic methods for
nding pointsWith appropriately chosen parameters, the probability of
failure can be made arbitrarily small.
We need a method for encoding a message as point on an
elliptic curve.
The Bad News:Currently there is no known polynomial time,
deterministic algorithm for writing points on an arbitrary
elliptic curve.
The Good News:There are fast probabilistic methods for
nding pointsWith appropriately chosen parameters, the probability of
failure can be made arbitrarily small.
Representing Plaintext
We need a method for encoding a message as point on an
elliptic curve.
The Bad News:Currently there is no known polynomial time,
deterministic algorithm for writing points on an arbitrary
elliptic curve.
The Good News:There are fast probabilistic methods for
nding pointsWith appropriately chosen parameters, the probability of
failure can be made arbitrarily small.
We need a method for encoding a message as point on an
elliptic curve.
The Bad News:Currently there is no known polynomial time,
deterministic algorithm for writing points on an arbitrary
elliptic curve.
The Good News:There are fast probabilistic methods for
nding pointsWith appropriately chosen parameters, the probability of
failure can be made arbitrarily small.
Representing Plaintext
We need a method for encoding a message as point on an
elliptic curve.
The Bad News:Currently there is no known polynomial time,
deterministic algorithm for writing points on an arbitrary
elliptic curve.
The Good News:There are fast probabilistic methods for
nding pointsWith appropriately chosen parameters, the probability of
failure can be made arbitrarily small.
We need a method for encoding a message as point on an
elliptic curve.
The Bad News:Currently there is no known polynomial time,
deterministic algorithm for writing points on an arbitrary
elliptic curve.
The Good News:There are fast probabilistic methods for
nding pointsWith appropriately chosen parameters, the probability of
failure can be made arbitrarily small.
Representing Plaintext
We need a method for encoding a message as point on an
elliptic curve.
The Bad News:Currently there is no known polynomial time,
deterministic algorithm for writing points on an arbitrary
elliptic curve.
The Good News:There are fast probabilistic methods for
nding pointsWith appropriately chosen parameters, the probability of
failure can be made arbitrarily small.
We need a method for encoding a message as point on an
elliptic curve.
The Bad News:Currently there is no known polynomial time,
deterministic algorithm for writing points on an arbitrary
elliptic curve.
The Good News:There are fast probabilistic methods for
nding pointsWith appropriately chosen parameters, the probability of
failure can be made arbitrarily small.
Representing Plaintext
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
Representing Plaintext
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
Representing Plaintext
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
Representing Plaintext
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
Representing Plaintext
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
Idea:Embedmas thex-coordinate of a point onE
The Bad News:There is only a 50% chance that
m
3
+bm+cis a square modulop
Question:How can we guarantee a higher success rate?Answer:We'll adjoin a few bits at the end ofmand adjust
them until we get a numberxsuch thatx
3
+bx+cis a square
(modp)
Koblitz's Method
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
Koblitz's Method
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
Koblitz's Method
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
Koblitz's Method
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
Koblitz's Method
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
Koblitz's Method
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
Koblitz's Method
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
LetE:y
2
x
3
+bx+c(modp) be the elliptic curve and let
mbe the message represented as a number.
LetK2Zbe large enough such that a failure rate of
1=2
K
is acceptable
Assume that (m+ 1)K<pand letx=mK+j Forj= 0;1;2; : : : ;K1,- x
3
+bx+cand try to calculate the square root
(modp)
-x
3
+bx+cis a square, then we sendmtoPm= (x;y),
otherwise incrementjby 1
- j=K, then we have failed to map a message
to a point onE
Decoding
Note:Becausex
3
+bx+cis a square approximately half of
the time and we tryx=mK+jat mostKtimes, we have
about 1=2
K
chance of failure.
To recover the original message fromPm= (x;y), we calculate
m=
j
x
K
k
Second Note:Decoding requires that (m+ 1)K<p
Note:Becausex
3
+bx+cis a square approximately half of
the time and we tryx=mK+jat mostKtimes, we have
about 1=2
K
chance of failure.
To recover the original message fromPm= (x;y), we calculate
m=
j
x
K
k
Second Note:Decoding requires that (m+ 1)K<p
Decoding
Note:Becausex
3
+bx+cis a square approximately half of
the time and we tryx=mK+jat mostKtimes, we have
about 1=2
K
chance of failure.
To recover the original message fromPm= (x;y), we calculate
m=
j
x
K
k
Second Note:Decoding requires that (m+ 1)K<p
Note:Becausex
3
+bx+cis a square approximately half of
the time and we tryx=mK+jat mostKtimes, we have
about 1=2
K
chance of failure.
To recover the original message fromPm= (x;y), we calculate
m=
j
x
K
k
Second Note:Decoding requires that (m+ 1)K<p
Elliptic Curve Die-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
Elliptic Curve Die-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
Elliptic Curve Die-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
Elliptic Curve Die-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
Elliptic Curve Die-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
Elliptic Curve Die-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
Elliptic Curve Die-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
Elliptic Curve Die-Hellman Key Exchange
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
(ECDH)
Suppose that Alice and Bob want to exchange a key
1
They agree on a primep, the elliptic curve
E:y
2
x
3
+ax+b(modp), and a base pointPonE.
2
Alice randomly chooses an integerkaand Bob randomly
chooses an integerkb, which they keep secret
3
Alice publishes the pointA=kaPand sends it to Bob
4
Bob publishes the pointB=kbPand sends it to Alice
5
Alice takes Bob's pointBand computeska(B)
6
Similarly, Bob computeskb(A)
7
Because the group (E;+) is abelian,
ka(B) =ka(kbP) =kb(kaP) =kb(A);
so Alice and Bob have the same key
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
(ECDSA)
Suppose that Alice wants to sign a message,m, for Bob to
verify.
To set up the system, we
1
Fix an Elliptic CurveE(modp) wherepis large prime
2
Fix a base pointAonE
3
Assume that the message represented as a numberm
satises
0m#E
4
Alice chooses a private integeraand computesB=aA
Now (p;E;#E;A;B) are made public whileais private.
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
Now Alice wants to sign the message, so she
1
chooses a random 1k#Ewith gcd(k;#E) = 1,
2
computeskAR= (x;y),
3
computessk
1
(max) mod #E,
4
sends the signed message (m;R;s) to Bob for verication,
El Gamal ECDSA: Verifying a Message
To verify Alice's message, Bob
1
downloads Alice's public info and (p;E;#E;A;B),
2
computesv1xB+sRandv2mA
The signature is valid only ifv1=v2
To verify Alice's message, Bob
1
downloads Alice's public info and (p;E;#E;A;B),
2
computesv1xB+sRandv2mA
The signature is valid only ifv1=v2
El Gamal ECDSA: Verifying a Message
To verify Alice's message, Bob
1
downloads Alice's public info and (p;E;#E;A;B),
2
computesv1xB+sRandv2mA
The signature is valid only ifv1=v2
To verify Alice's message, Bob
1
downloads Alice's public info and (p;E;#E;A;B),
2
computesv1xB+sRandv2mA
The signature is valid only ifv1=v2
El Gamal ECDSA: Verifying a Message
To verify Alice's message, Bob
1
downloads Alice's public info and (p;E;#E;A;B),
2
computesv1xB+sRandv2mA
The signature is valid only ifv1=v2
To verify Alice's message, Bob
1
downloads Alice's public info and (p;E;#E;A;B),
2
computesv1xB+sRandv2mA
The signature is valid only ifv1=v2
Why does this work?
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
Why does this work?
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
Why does this work?
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
Why does this work?
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
Why does this work?
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
We know that
v1=xB+sR=xaA+ (k
1
(max))(kA)=xaA+ (max)A=mAv2
Identity-Based Encryption
In most public key systems, when Alice wants to send a
message to Bob, she looks up his public key in a directory and
then encrypts her message. However, how does she know that
the information has not been modied by Eve and the public
key listed for Bob is Eve's key?!
Wouldn't it be nice to have a system where Bob's public
identication information (like his email address) serves as the
public key?
In most public key systems, when Alice wants to send a
message to Bob, she looks up his public key in a directory and
then encrypts her message. However, how does she know that
the information has not been modied by Eve and the public
key listed for Bob is Eve's key?!
Wouldn't it be nice to have a system where Bob's public
identication information (like his email address) serves as the
public key?
Identity-Based Encryption
In most public key systems, when Alice wants to send a
message to Bob, she looks up his public key in a directory and
then encrypts her message. However, how does she know that
the information has not been modied by Eve and the public
key listed for Bob is Eve's key?!
Wouldn't it be nice to have a system where Bob's public
identication information (like his email address) serves as the
public key?
In most public key systems, when Alice wants to send a
message to Bob, she looks up his public key in a directory and
then encrypts her message. However, how does she know that
the information has not been modied by Eve and the public
key listed for Bob is Eve's key?!
Wouldn't it be nice to have a system where Bob's public
identication information (like his email address) serves as the
public key?
Setting up the Cryptosystem
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
First, letpbe a prime of the form 6q1 whereqis also prime.
Then for the elliptic curveE:y
2
=x
3
+ 1 (modp), we know
that
There is a pointP06=1such thatqP0=1.
There is a function ~esuch that
-emaps pairs of points (aP0;bP0) toqth roots of unity
-esatises thebilinearity property
~e(aP0;bP0) = ~e(P0;P0)
ab
for allaandb
- P=kP0andQ=mP0, ~e(P;Q) can be computed
quickly from the coordinatesPandQ
-e(P0;P0)6= 1, so it is a nontrivial root of unity
Setting up the Cryptosystem (cont)
We need two public hash functions:
H1:farb. length binary stringg !kP0
fork2Z
H2:fqth root of unityg ! fbinary strings of lengthng
wherenis the length of the message to be sent
We need two public hash functions:
H1:farb. length binary stringg !kP0
fork2Z
H2:fqth root of unityg ! fbinary strings of lengthng
wherenis the length of the message to be sent
Setting up the Cryptosystem (cont)
We need two public hash functions:
H1:farb. length binary stringg !kP0
fork2Z
H2:fqth root of unityg ! fbinary strings of lengthng
wherenis the length of the message to be sent
We need two public hash functions:
H1:farb. length binary stringg !kP0
fork2Z
H2:fqth root of unityg ! fbinary strings of lengthng
wherenis the length of the message to be sent
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:
He chooses a secret integers He computesP1=sP0, which is made public For each User, Arthur nds the user'sID(written as a
binary string) and computes
DUser=sH1(ID);
which is a point onE
Arthur sendsDUserto each user, who keeps it secret. He
then discardsDUser
Sending a Message
Suppose Alice wants to send a messagemto Bob and suppose
thatmis of binary lengthn.
Bob'sIDis [email protected], so Alice does the following:
1
She computesg~e(H1(bob@computer:com);P1), aqth
root of unity
2
She chooses a random integerr6= 0 (modq) and
computes
tmH2(g
r
)
whereis the XOR cipher.
3
She sends Bob the ciphertext
c(rP0;t);
whererP0onEandtis a binary string of lengthn
Suppose Alice wants to send a messagemto Bob and suppose
thatmis of binary lengthn.
Bob'sIDis [email protected], so Alice does the following:
1
She computesg~e(H1(bob@computer:com);P1), aqth
root of unity
2
She chooses a random integerr6= 0 (modq) and
computes
tmH2(g
r
)
whereis the XOR cipher.
3
She sends Bob the ciphertext
c(rP0;t);
whererP0onEandtis a binary string of lengthn
Sending a Message
Suppose Alice wants to send a messagemto Bob and suppose
thatmis of binary lengthn.
Bob'sIDis [email protected], so Alice does the following:
1
She computesg~e(H1(bob@computer:com);P1), aqth
root of unity
2
She chooses a random integerr6= 0 (modq) and
computes
tmH2(g
r
)
whereis the XOR cipher.
3
She sends Bob the ciphertext
c(rP0;t);
whererP0onEandtis a binary string of lengthn
Suppose Alice wants to send a messagemto Bob and suppose
thatmis of binary lengthn.
Bob'sIDis [email protected], so Alice does the following:
1
She computesg~e(H1(bob@computer:com);P1), aqth
root of unity
2
She chooses a random integerr6= 0 (modq) and
computes
tmH2(g
r
)
whereis the XOR cipher.
3
She sends Bob the ciphertext
c(rP0;t);
whererP0onEandtis a binary string of lengthn
Sending a Message
Suppose Alice wants to send a messagemto Bob and suppose
thatmis of binary lengthn.
Bob'sIDis [email protected], so Alice does the following:
1
She computesg~e(H1(bob@computer:com);P1), aqth
root of unity
2
She chooses a random integerr6= 0 (modq) and
computes
tmH2(g
r
)
whereis the XOR cipher.
3
She sends Bob the ciphertext
c(rP0;t);
whererP0onEandtis a binary string of lengthn
Suppose Alice wants to send a messagemto Bob and suppose
thatmis of binary lengthn.
Bob'sIDis [email protected], so Alice does the following:
1
She computesg~e(H1(bob@computer:com);P1), aqth
root of unity
2
She chooses a random integerr6= 0 (modq) and
computes
tmH2(g
r
)
whereis the XOR cipher.
3
She sends Bob the ciphertext
c(rP0;t);
whererP0onEandtis a binary string of lengthn
Sending a Message
Suppose Alice wants to send a messagemto Bob and suppose
thatmis of binary lengthn.
Bob'sIDis [email protected], so Alice does the following:
1
She computesg~e(H1(bob@computer:com);P1), aqth
root of unity
2
She chooses a random integerr6= 0 (modq) and
computes
tmH2(g
r
)
whereis the XOR cipher.
3
She sends Bob the ciphertext
c(rP0;t);
whererP0onEandtis a binary string of lengthn
Suppose Alice wants to send a messagemto Bob and suppose
thatmis of binary lengthn.
Bob'sIDis [email protected], so Alice does the following:
1
She computesg~e(H1(bob@computer:com);P1), aqth
root of unity
2
She chooses a random integerr6= 0 (modq) and
computes
tmH2(g
r
)
whereis the XOR cipher.
3
She sends Bob the ciphertext
c(rP0;t);
whererP0onEandtis a binary string of lengthn
Recovering the Message
Bob receives the pair (U;v) whereUis a point onEandvis a
binary string of lengthn. Then he does the following:
1
He computesh~e(DBob;U), which is aqth root of unity
2
He recovers the message by
m=vH2(h)
Bob receives the pair (U;v) whereUis a point onEandvis a
binary string of lengthn. Then he does the following:
1
He computesh~e(DBob;U), which is aqth root of unity
2
He recovers the message by
m=vH2(h)
Recovering the Message
Bob receives the pair (U;v) whereUis a point onEandvis a
binary string of lengthn. Then he does the following:
1
He computesh~e(DBob;U), which is aqth root of unity
2
He recovers the message by
m=vH2(h)
Bob receives the pair (U;v) whereUis a point onEandvis a
binary string of lengthn. Then he does the following:
1
He computesh~e(DBob;U), which is aqth root of unity
2
He recovers the message by
m=vH2(h)
Recovering the Message
Bob receives the pair (U;v) whereUis a point onEandvis a
binary string of lengthn. Then he does the following:
1
He computesh~e(DBob;U), which is aqth root of unity
2
He recovers the message by
m=vH2(h)
Bob receives the pair (U;v) whereUis a point onEandvis a
binary string of lengthn. Then he does the following:
1
He computesh~e(DBob;U), which is aqth root of unity
2
He recovers the message by
m=vH2(h)
Why does this work?
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
Why does this work?
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
Why does this work?
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
Why does this work?
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
Why does this work?
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
Why does this work?
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
Why does this work?
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
If encryption is performed correction,U=rP0and
v=t=mH2(g).
SinceDBob=sH1(bob@computer:com),
h~e(DBob;rP0) = ~e(sH1(bob@computer:com);rP0)
= ~e(H1(bob@computer:com);P0)
rs
= ~e(H1(bob@computer:com);sP0)
r
= ~e(H1(bob@computer:com);P1)
r
g
r
Therefore,tH2(h) =tH2(g
r
) = (mH2(g
r
))H2(g
r
) =m
Any Questions?
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 8,612
- Slides 102
- Favorites 11
- Age 3355 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
21
Know for Certain
DaveSinNM
23 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views