\documentclass[12pt]{article}
\include{macros}
\usepackage{graphicx}
\title{Lecture 29: Elliptic Curve Cryptography}
\begin{document}
\maketitle

Today's lecture is about an application of elliptic curves to
cryptography.  

\hd{Disclaimer:} I do not endorse breaking laws, and give the examples
below as a pedagogical tool in the hope of making the mathematics in
our course more fun and relevant to everyday life.  I don't think I
have violated the Digital Millenium Copyright Act, because I have
given very few details about Microsoft's actual protocols, and I've
given absolutely no source code.

\section{Microsoft Digital Rights Management}
Today I will describe one way to use elliptic curves in cryptography.
Our central example will involve 
version 2 of the Microsoft Digital Rights Management (MS-DRM) system,
as applied to {\tt .wma} audio files.  
\begin{center}
\includegraphics[width=1in]{wma.eps}
\end{center}
I learned about this protocol from 
a paper by ``Beale Screamer''.

\subsection{Microsoft's Favorite Elliptic Curve}
\noindent{}The elliptic curve used in MS-DRM is an elliptic curve over the finite
field $k=\Z/p\Z$, where
$$
  p=785963102379428822376694789446897396207498568951.
$$
As Beale Screamer remarks, this modulus has high nerd appeal because in
hexadecimal it is 
\begin{center}
89ABCDEF012345672718281831415926141424F7,
\end{center}
 which
includes counting in hexadecimal, and digits of~$e$, 
$\pi$, and $\sqrt{2}$.
The Microsoft elliptic curve~$E$ is
\begin{align*}
y^2 = x^3 &+ 317689081251325503476317476413827693272746955927x \\
             &\qquad +79052896607878758718120572025718535432100651934.
\end{align*}
We have
$$\# E(k) = 785963102379428822376693024881714957612686157429,$$
and the group $E(k)$ is cyclic with generator 
\begin{align*}
B &= (771507216262649826170648268565579889907769254176, \\
&\qquad 390157510246556628525279459266514995562533196655).
\end{align*}
\subsection{Nikita and Michael}
\vspace{-4ex}Our heros Nikita and Michael love to share digital music
\includegraphics[width=1in]{notes.eps} 
when they aren't out thwarting terrorists.
When Nikita installed Microsoft's 
content rights management software on
her compute, it sneakily generated a private key
$$
n = 670805031139910513517527207693060456300217054473,
$$
which it very stealthily hid in bits and pieces of files (e.g., {\tt
blackbox.dll}, {\tt v2ks.bla}, and {\tt IndivBox.key}).  In order for
Nikita to play Juno Reactor's latest hit {\tt juno.wma}, her web
browser contacts a Microsoft rights management partner.  After Nikita
gives Microsoft her credit card number, she is allowed to download a
license to play {\tt juno.wma}.  Microsoft created the license using
the ElGamal public-key cryptosystem (see below) in the group $E(k)$.
Nikita's license file can now be used to unlock {\tt juno.wma}, but
{\em only} on Nikita's computer.  When she shares both {\tt juno.wma}
and the license file with Michael, he is very annoyed because he can't
play {\tt juno.wma}. This is because Michael's computer doesn't know
Nikita's computer's private key (that integer~$n$ above), 
so Michael's computer can't decrypt the license file.
\begin{center}
\includegraphics[width=1.5in]{juno.eps}\\
{\tt juno.wma}
\end{center}


\section{The Elliptic Curve Discrete Logarithm Problem}
\begin{definition}
If $E$ is an elliptic curve over $\Z/p\Z$ and~$B$ is a point on~$E$,
then the {\em discrete log problem} on~$E$ to the base~$B$ is the
following problem: given a point $P\in E$, find an integer~$n$
such that $nB = P$, if such an integer exists.
\end{definition}

For example, let $E$ be the elliptic curve given by $y^2 = x^3 + x+1$
over the field $\Z/7\Z$.  We have
$$
  E(\Z/7\Z) = \{\O, (2, 2), (0,1), (0,6), (2,5) \}.
$$
If $B=(2,2)$ and $P=(0,6)$, then $3B=P$, so $n=3$
is a solution to the discrete logarithm problem.

To the best of my knowledge, the discrete logarithm problem on~$E$
is {\em really hard} unless $\#E(\Z/p\Z)$ is ``smooth'', i.e., a
product of small primes, or $E$ is ``supersingular'' in the sense
that $p\mid \#E(\Z/p\Z)$.  
The Microsoft curve has neither of these deficiencies, and I 
expect that the discrete logarithm on that curve is quite difficult.
This is not the weekness that ``Beale Screamer'' exploits in
breaking MS-DRM.

\section{ElGamal}
How can we set up a public-key cryptosystem using an elliptic curve?
The only public-key crytosystem that we've studied so far is the RSA
cryptosystem; unfortunately, there is no analogue of RSA for elliptic
curves!  (Informal Exercise: Think about what goes wrong.)

MS-DRM uses the El Gamal system.  Here's how it works. 
Start with a fixed, publicly known prime~$p$, an elliptic
curve~$E$ over $\Z/p\Z$, and a point $B\in E(\Z/p\Z)$.
Michael and Nikita choose random integers~$m$ and~$n$, which
are kept secret, and compute and publish $mB$ and $nB$.

In order to send a message $P$ to Michael, Nikita
computes a random integer~$r$ and sends the pair of
points $(rB, P+r(mB))$.  To read the message, 
Michael multiplies $rB$ by his secret key~$m$
to get $m(rB) = r(mB)$, and subtracts this from
the second point to get 
  $$P = P+r(mB)-r(mB).$$

As far as I can tell, breaking this cryptosystem requires solving the
discrete logarithm problem, so it's very difficult.

The following example is based on an example taken from Beale
Screamer's paper.
\begin{example}
Nikita's license files contains the pair of points
$(rB,P+r(nB))$, where
{\tiny$$
  rB = (179671003218315746385026655733086044982194424660,
697834385359686368249301282675141830935176314718)
$$}
and
{\tiny$$
 P+r(nB) = (137851038548264467372645158093004000343639118915,
110848589228676224057229230223580815024224875699).
$$}
Nikita's computer sneakily loads the secret key
$$
n = 670805031139910513517527207693060456300217054473
$$ into memory
and computes
{\tiny$$n(rB) = r(nB) = 
  (328901393518732637577115650601768681044040715701,
  586947838087815993601350565488788846203887988162).
$$}
It then subtracts this from $P+r(nB)$ to get
$$
  P = (14489646124220757767, \,669337780373284096274895136618194604469696830074).
$$
That~$x$ coordinate, $14489646124220757767$, is the top secret magic ``content
key'' that unlocks {\tt juno.wma}.
\end{example}

If Nikita knew the private key~$n$ that her computer generated, she
could compute~$P$ herself and unlock {\tt juno.wma} and share her
music with Michael, just like she used to share her favorite CDs with
Michael.  Beale Screamer found a weakness in Microsoft's system that
let him find~$n$:
\begin{quote}
``These secret keys are stored in linked lists ... interspersed with the
code in the library.  The idea is that they can be read by that
library, used internally by that library, and never communicated
outside the library.  Since the {\tt IndivBox.key} file is shuffled in
a random way for each client, these keys would be extremely difficult
to extract from the file itself. Fortunately, we don't have to: these
keys are part of the object state that is maintained by this library,
and since the offset within this object of these secret keys is known,
we can let the library itself extract the secret keys!  The code for
this simply loads up the `black box' library, has it initialize an
instance of the object, and then reads the keys right out of that
object.  This is clearly a weakness in the code which can be corrected
by the DRM software fairly easily, but for now it is the basis of our
exploit.''
\end{quote}

As you can see, Microsoft has undertaken a difficult and interesting
problem.  {\em How can Microsoft  store data on Nikita's
computer in such a way that Nikita can not access it, but Nikita's
computer can?}

\section{Why Use Elliptic Curves?}
There are several advantages to using elliptic curves instead
of $\Z/p\Z$ for cryptography, though the people at RSA Corporation
might disagree.  Elliptic curve cryptosystems with smaller key sizes
appear to be just as secure as ``classical'' $\Z/p\Z$ cryptosystems
with much larger key sizes, so elliptic curve cryptosystems can
be more efficient.  Another advantage, which I won't explain
at all, is that elliptic curve cryptosystems appear to be vastly
more secure over
``large finite fields of characteristic~$2$'' than RSA, which is
is very important in practical applications.  Also,
elliptic curves are simply way cooler than $\Z/p\Z$, so
they (used to) attract venture capitalists.

Some mobile phones also use elliptic curve cryptography.  Do you have an
elliptic curve in your pocket right now?

\end{document}

/* Base conversion */

function ToDeci(s)
   c := ["0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f"];
   ans := 0;
   b := 1;
   for i in [1..#s] do
      ans := ans + b*(Index(c,s[#s-i+1])-1);
      b := b*16;
   end for;  
   return ans;
end function;


p := 785963102379428822376694789446897396207498568951
k := GF(p);
E := EllipticCurve([317689081251325503476317476413827693272746955927,  79052896607878758718120572025718535432100651934]);
B  := E![k|771507216262649826170648268565579889907769254176, 390157510246556628525279459266514995562533196655];
rB := E![k|179671003218315746385026655733086044982194424660,697834385359686368249301282675141830935176314718];
PrnB := E![k|137851038548264467372645158093004000343639118915,110848589228676224057229230223580815024224875699];
n := 670805031139910513517527207693060456300217054473;
PrnB - n*rB;
(14489646124220757767 : 669337780373284096274895136618194604469696830074 : 1)