elliptic curve cryptography
play

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren - PowerPoint PPT Presentation

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction


  1. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  2. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  3. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Cryptography Cryptography provides the technical means to secure information in electronic form. ◮ Confidentiality : protection of data from unauthorized disclosure. ◮ Data integrity : assurance that data received are exactly as sent by an authorized entity. ◮ Authentication : assurance that the communicating entity is the one that it claims to be. ◮ Non-repudiation : prevents an entity from denying previous commitments or actions. Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  4. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Symmetric Key Cryptography ����������SYMMETRIC�KEY�CRYPTOSYSTEM BOB ALICE PLAINTEXT PLAINTEXT 110100011100 110100011100 = ENCRYPTION�KEY DECRYPTION�KEY CIPHERTEXT ???????????? Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  5. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Public Key Cryptography ������PUBLIC�KEY�CRYPTOSYSTEM BOB ALICE ���PUBLIC�LIST CIPHERTEXT PLAINTEXT ???????????? 110100011100 PUBLIC�KEY OF�BOB PRIVATE KEY�OF�BOB DECRYPTION�KEY ENCRYPTION�KEY CIPHERTEXT PLAINTEXT ???????????? 110100011100 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  6. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Factoring and Discrete Logarithm Problem ◮ Rivest-Shamir-Adleman (1977): RSA based on factoring. ◮ Main idea: easy to find two large primes p and q , but very hard to find p and q from n = p · q . ◮ RSA still most popular public key cryptosystem. ◮ ElGamal (1984): discrete logarithm problem (DLP). ◮ Group G is set with operation · and each element has inverse. ◮ Main idea: very easy to compute h = g x for given x , but very hard to find x given h and g . ◮ Popular choices: finite fields and elliptic curves. Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  7. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Diffie-Hellman Key Agreement Choose a large prime number p and a generator α mod p Alice Bob x A ∈ R [ 1 , p − 1 ] , α x A α x A − − − − − − − − → − x B ∈ R [ 1 , p − 1 ] , α x B ← α x B − − − − − − − − − K BA = ( α x B ) x A K BA = ( α x A ) x B ◮ Note: all calculations mod p ◮ Security based on Diffie-Hellman problem: given α x A and α x B compute α x A x B Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  8. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curves Definition ◮ Elliptic curve E over field K is defined by y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 , a i ∈ K ◮ The set of K -rational points E ( K ) is defined as E ( K ) = { ( x , y ) ∈ K × K | y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 }∪{∞} ◮ ∞ is called point at infinity Theorem There exists an addition law on E and the set E ( K ) is a group Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  9. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curves over R 6 6 4 4 2 2 0 0 −2 −2 −4 −4 −6 −6 −8 −6 −4 −2 0 2 4 6 8 −6 −4 −2 0 2 4 6 8 y 2 = x 3 + 4 x 2 + 4 x + 3 y 2 = x 3 − 7 x + 6 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  10. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Addition Law on Elliptic Curves L R 4 4 Q P P L 2 2 R 0 0 2P −2 −2 L ′ L ′ −4 −4 P ⊕ Q −6 −4 −2 0 2 4 6 −6 −4 −2 0 2 4 6 Adding two points Doubling a point y 2 = x 3 − 7 x + 6 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  11. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Addition Law on Elliptic Curves By definition: three points on a line sum to zero! Let P 1 ⊕ P 2 = P 3 , with P i = ( x i , y i ) ∈ E ◮ If x 1 = x 2 and y 1 + y 2 + a 1 x 2 + a 3 = 0, then P 1 ⊕ P 2 = ∞ , ◮ Else � λ = ( y 2 − y 1 ) / ( x 2 − x 1 ) x 1 � = x 2 ν = ( y 1 x 2 − y 2 x 1 ) / ( x 2 − x 1 ) � λ ( 3 x 2 = 1 + 2 a 2 x 1 + a 4 − a 1 y 1 ) / ( 2 y 1 + a 1 x 1 + a 3 ) x 1 = x 2 ( − x 3 ν = 1 + a 4 x 1 + 2 a 6 − a 3 y 1 ) / ( 2 y 1 + a 1 x 1 + a 3 ) The point P 3 = P 1 ⊕ P 2 is given by λ 2 + a 1 λ − a 2 − x 1 − x 2 x 3 = y 3 = − ( λ + a 1 ) x 3 − ν − a 3 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  12. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Finite Fields ◮ Practical applications need exact arithmetic, so ◮ not R since not exact ◮ not Q since size of numbers involved grows too fast ◮ Consider elliptic curves over finite fields: ◮ F p with p prime: represented by Z mod p ◮ F 2 n with 2 n elements: represented by F 2 [ X ] mod P ( X ) , i.e. binary polynomials modulo an irreducible polynomial P ( X ) Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  13. Cryptography Elliptic Curves EC Cryptographic Primitives u u u 22 Pairings u 21 20 u Elliptic Curves over Finite Fields 19 u 18 u 17 u 16 u u u 15 u 14 u 13 12 11 u 10 u 9 u u u 8 u 7 u 6 u 5 u 4 3 u 2 u u u 1 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 The elliptic curve y 2 = x 3 + x + 3 mod 23 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  14. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Number of Points on Elliptic Curve ◮ Theorem: the cardinality # E ( F q ) satisfies # E ( F q ) = q + 1 − t with | t | ≤ 2 √ q . ◮ For gcd ( q , t ) = 1, all possibilities occur. Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  15. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve DLP ◮ Let G be an abelian group generated by P ∈ G ◮ Let Q = s · P , then the DLP is to compute s given P and Q ◮ Classically: G = F × q ◮ For G = E ( F q ) , the DLP is called ECDLP Note: can translate primitives based on DLP to ECDLP setting Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  16. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Security of ECDLP: General Attacks ◮ Exhaustive search: impossible if group order > 2 80 ◮ Pohlig-Hellman: suppose # E ( F q ) = p s 1 1 · p s 2 2 · · · p s k k , then can reduce ECDLP to subgroups of order p i ⇒ # E ( F q ) should have large prime divisor p ◮ Pollard rho & lambda: random walk, constant space, time complexity is O ( √ p ) Conclusion : ◮ # E ( F q ) > 2 160 and divisible by large prime p ◮ Best general attack is exponential in p ◮ DLP in F q is sub-exponential: L q [ 1 / 3 , b ] with � e ( b + O ( 1 ))( ln N ) a ( ln ln N ) 1 − a � L N [ a , b ] = O Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  17. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Comparison with RSA & DSA: Security 500 ECDSA 450 400 350 Keylength elliptic curve system 300 250 200 150 100 RSA & DSA 50 0 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 Keylength conventional systems RSA and DSA Key lengths in bits for equivalent cryptographic strength Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  18. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Overview ◮ Key Agreement Primitives ◮ ECDH: EC Diffie-Hellman Secret Value Derivation ◮ ECMQV: EC Menezes-Qu-Vanstone Secret Value Derivation ◮ Signature Primitives ◮ ECNR: EC Nyberg-Rueppel Signatures ◮ ECDSA: EC Digital Signature Algorithm ◮ Encryption Primitives ◮ ECIES: EC Integrated Encryption Scheme Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  19. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Pairings ◮ Let G 1 , G 2 , G T be groups of prime order ℓ . A pairing is a non-degenerate bilinear map e : G 1 × G 2 → G T . ◮ Bilinearity: ◮ e ( g 1 + g 2 , h ) = e ( g 1 , h ) e ( g 2 , h ) , ◮ e ( g , h 1 + h 2 ) = e ( g , h 1 ) e ( g , h 2 ) . ◮ Non-degenerate: ◮ for all g � = 1: ∃ x ∈ G 2 such that e ( g , x ) � = 1 ◮ for all h � = 1: ∃ x ∈ G 1 such that e ( x , h ) � = 1 ◮ Examples: ◮ Scalar product on vectorspace over finite fields �· , ·� : F n q × F n q → F q . ◮ Weil- and Tate pairings on elliptic curves and abelian varieties. Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

  20. Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Pairings in cryptography ◮ Exploit bilinearity: original schemes G 1 = G 2 ◮ MOV: DLP reduction from G 1 to G T DLP in G 1 : ( g , xg ) ⇒ DLP in G T : ( e ( g , g ) , e ( g , g ) x ) ◮ Decision DH easy in G 1 DDH : ( g , ag , bg , cg ) test if e ( g , cg ) = e ( ag , bg ) ◮ Identity based crypto, short signatures, . . . Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

Recommend


More recommend