4.4: Menezes-Vanstone Elliptic Curve Cryptosystem (Interactive Cryptography Script)

4.4 Menezes-Vanstone Elliptic Curve Cryptosystem

A more efficient variation has been found by Menezes and Vanstone. In this variation, the elliptic curve is used for "masking", and plaintexts and ciphertexts are allowed to be arbitrary ordered pairs of (nonzero) elements (i.e., they are not required to be points on E).This yields a message expansion factor of two, the same as in the original ElGamal Cryptosystem.

Let E be an elliptic curve defined over Z_p (p > 3 prime) such that E contains a cyclic subgroup H in which the discrete log problem is intractible. Let P = Z_p^* × Z_p^*, C = E × Z_p^* × Z_p^*, and define K = {(E, alpha, a, beta): beta = aalpha},
where alpha in E. The values alpha and beta are public, and a is secret. For K = (E, alpha, a, beta), for a (secret) random number k in Z_|H|, and for x = (x₁, x₂) in Z_p^* × Z_p^*, define
e_K(x, k) = (y₀, y₁, y₂),
where
y₀ = k alpha,
(c₁, c₂) = k beta,
y₁ = c₁ x₁ (mod p), and
y₂ = c₂ x₂ (mod p).

For a ciphertext y = (y₀, y₁, y₂), define
d_K(y) = (y₁ c₁^-1 (mod p), y₂ c₂^-1 (mod p)),
where
ay₀ = (c₁, c₂).

4.4 Menzes-Vanstone Elliptic Curve Cryptosystem: Sample applet for small numbers

source

5 DES