elliptic curve cryptography
play

elliptic curve cryptography Craig Costello Summer School on - PowerPoint PPT Presentation

Apr 29, 2023 β€’882 likes β€’1.38k views

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

  1. A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 Ε ibenik , Croatia

  2. Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC

  3. Diffie-Hellman key exchange (circa 1976) π‘Ÿ = 1606938044258990275541962092341162602522202993782792835301301 𝑕 = 123456789 𝑕 𝑏 mod π‘Ÿ = 78467374529422653579754596319852702575499692980085777948593 560048104293218128667441021342483133802626271394299410128798 = 𝑕 𝑐 mod π‘Ÿ 𝑏 = 𝑐 = 685408003627063 362059131912941 761059275919665 987637880257325 781694368639459 269696682836735 527871881531452 524942246807440 𝑕 𝑏𝑐 mod π‘Ÿ = 437452857085801785219961443000845969831329749878767465041215

  4. Index calculus solve 𝑕 𝑦 ≑ β„Ž (mod π‘ž) e.g. 3 𝑦 ≑ 37 (mod 1217) - factor base π‘ž 𝑗 = {2,3,5,7,11,13,17,19} , #π‘ž 𝑗 = 8 - Find 8 values of 𝑙 where 3 𝑙 splits over π‘ž 𝑗 , i.e., 3 𝑙 ≑ Β±βˆπ‘ž 𝑗 mod π‘ž (mod 1216) (mod 1216) (mod 1217) 3 1 ≑ 3 𝑀 2 ≑ 216 1 ≑ 𝑀(3) 3 24 ≑ βˆ’2 2 β‹… 7 β‹… 13 𝑀 3 ≑ 1 24 ≑ 608 + 2 β‹… 𝑀 2 + 𝑀 7 + 𝑀(13) 3 25 ≑ 5 3 𝑀 5 ≑ 819 25 ≑ 3 β‹… 𝑀(5) 3 30 ≑ βˆ’2 β‹… 5 2 𝑀 7 ≑ 113 30 ≑ 608 + 𝑀 2 + 2 β‹… 𝑀(5) 3 34 ≑ βˆ’3 β‹… 7 β‹… 19 𝑀 11 ≑ 1059 34 ≑ 608 + 𝑀 3 + 𝑀 7 + 𝑀(19) 3 54 ≑ βˆ’5 β‹… 11 𝑀 13 ≑ 87 54 ≑ 608 + 𝑀 5 + 𝑀(11) 3 71 ≑ βˆ’17 𝑀 17 ≑ 679 71 ≑ 608 + 𝑀(17) 3 87 ≑ 13 𝑀 19 ≑ 528 87 ≑ 𝑀(13)

  5. Index calculus solve 𝑕 𝑦 ≑ β„Ž (mod π‘ž) e.g. 3 𝑦 ≑ 37 (mod 1217) Now search for π‘˜ such that 𝑕 π‘˜ β‹… β„Ž = 3 π‘˜ β‹… 37 factors over π‘ž 𝑗 𝑀 2 ≑ 216 𝑀 3 ≑ 1 3 16 β‹… 37 ≑ 2 3 β‹… 7 β‹… 11 (mod 1217) 𝑀 5 ≑ 819 𝑀 7 ≑ 113 𝑀 37 ≑ 3 β‹… 𝑀 2 + 𝑀 7 + 𝑀 11 βˆ’ 16 mod 1216 𝑀 11 ≑ 1059 𝑀 13 ≑ 87 ≑ 3 β‹… 216 + 113 + 1059 βˆ’ 1 𝑀 17 ≑ 679 ≑ 588 𝑀 19 ≑ 528 64/9 1/3 +𝑝 1 (ln π‘ž ) 1/3 β‹…(lnln π‘ž ) 2/3 Subexponential complexity 𝑀 π‘ž 1/3, 64/9 1/3 = 𝑓

  6. Diffie-Hellman key exchange (circa 2016) π‘Ÿ = 58096059953699580628595025333045743706869751763628952366614861522872037309971102257373360445331184072513261577549805174439905295945400471216628856721870324010321116397 06440498844049850989051627200244765807041812394729680540024104827976584369381522292361208779044769892743225751738076979568811309579125511333093243519553784816306381580 16186020024749256844815024251530444957718760413642873858099017255157393414625583036640591500086964373205321856683254529110790372283163413859958640669032595972518744716 90595408050123102096390117507487600170953607342349457574162729948560133086169585299583046776370191815940885283450612858638982717634572948835466388795543116154464463301 99254382340016292057090751175533888161918987295591531536698701292267685465517437915790823154844634780260102891718032495396075041899485513811126977307478969074857043710 716150121315922024556759241239013152919710956468406379442914941614357107914462567329693649 𝑕 = 123456789 197496648183227193286262018614250555971909799762533760654008147994875775445667054218578105133138217497206890599554928429450667899476 854668595594034093493637562451078938296960313488696178848142491351687253054602202966247046105770771577248321682117174246128321195678 𝑕 𝑏 537631520278649403464797353691996736993577092687178385602298873558954121056430522899619761453727082217823475746223803790014235051396 (mod q ) 799049446508224661850168149957401474638456716624401906701394472447015052569417746372185093302535739383791980070572381421729029651639 304234361268764971707763484300668923972868709121665568669830978657804740157916611563508569886847487772676671207386096152947607114559 = 706340209059103703018182635521898738094546294558035569752596676346614699327742088471255741184755866117812209895514952436160199336532 6052422101474898256696660124195726100495725510022002932814218768060112310763455404567248761396399633344901857872119208518550803791724 411604662069593306683228525653441872410777999220572079993574397237156368762038378332742471939666544968793817819321495269833613169937 986164811320795616949957400518206385310292475529284550626247132930124027703140131220968771142788394846592816111078275196955258045178 = 705254016469773509936925361994895894163065551105161929613139219782198757542984826465893457768888915561514505048091856159412977576049 𝑕 𝑐 073563225572809880970058396501719665853110101308432647427786565525121328772587167842037624190143909787938665842005691911997396726455 110758448552553744288464337906540312125397571803103278271979007681841394534114315726120595749993896347981789310754194864577435905673 (mod q ) 172970033596584445206671223874399576560291954856168126236657381519414592942037018351232440467191228145585909045861278091800166330876 4073238447199488070126873048860279221761629281961046255219584327714817248626243962413613075956770018017385724999495117779149416882188 𝑏 = 𝑐 = 7147687166405; 9571879053605547396582 655456209464694; 93360682685816031704 692405186145916522354912615715297097 969423104727624468251177438749706128 100679170037904924330116019497881089 879957701\93698826859762790479113062 087696131592831386326210951294944584 308975863428283798589097017957365590 4004974889298038584931918128447572321 672\83571386389571224667609499300898 𝑕 𝑏𝑐 = 023987160439062006177648318875457556 554802446403039544300748002507962036 2337708539125052923646318332191217321 386619315229886063541005322448463915 464134655845254917228378772756695589 89798641210273772558373965\486539312 845219962202945089226966507426526912 330166919524192149323761733598426244691224199958894654036331526394350099088627302979833339501183059198113987880066739 854838650709031919742048649235894391 7802446416400\9025927104004338958261 90352993032676961005\088404319792729 1419862375878988193612187945591802864 419999231378970715307039317876258453876701124543849520979430233302777503265010724513551209279573183234934359636696506 916038927477470940948581926791161465 062679\864839578139273043684955597764 968325769489511028943698821518689496597758218540767517885836464160289471651364552490713961456608536013301649753975875 02863521484987\086232861934222391717 13009721221824915810964579376354556\6 610659655755567474438180357958360226708742348175045563437075840969230826767034061119437657466993989389348289599600338 121545686125300672760188085915004248 554629883777859568089157882151127357 49476686\706784051068715397706852664 4220422646379170599917677567\30420698 950372251336932673571743428823026014699232071116171392219599691096846714133643382745709376112500514300983651201961186 532638332403983747338379697022624261 422392494816906777896174923072071297 613464267685926563624589817259637248558104903657371981684417053993082671827345252841433337325420088380059232089174946 377163163204493828299206039808703403 603455802621072109220\54662739697748 086536664984836041334031650438692639106287627157575758383128971053401037407031731509582807639509448704617983930135028 575100467337085017748387148822224875 553543758990879608882627763290293452 309641791879395483731754620034884930 560094576029847\3913613887675543866 7596589383292751993079161318839043121329118930009948197899907586986108953591420279426874779423560221038468 540399950519191679471224\05558557093 22479265299978059886472414530462194 219350747155777569598163700850920394 52761811989\9746477252908878060493 705281936392411084\43600686183528465 17954195146382922889045577804592943 724969562186437214972625833222544865 73052654\10485180264002079415193983 996160464558\54629937016589470425264 85114342508427311982036827478946058 445624157899586972652935647856967092 7100\304977477069244278989689910572 689604\42796501209877036845001246792 12096357725203480402449913844583448 761563917639959736383038665362727158

  7. Diffie-Hellman key exchange (cont.) β€’ Individual secret keys secure under Discrete Log Problem (DLP): 𝑕, 𝑕 𝑦 ↦ 𝑦 β€’ Shared secret secure under Diffie-Hellman Problem (DHP): 𝑕, 𝑕 𝑏 , 𝑕 𝑐 ↦ 𝑕 𝑏𝑐 β€’ Fundamental operation in DH is group exponentiation: 𝑕, 𝑦 ↦ 𝑕 𝑦 … done via β€œsquare -and- multiply”, e.g., 𝑦 2 = 1,0,1,1,0,0,0,1 … β€’ We are working β€œ mod π‘Ÿ ”, but only with one ope peration tion: multiplication β€’ Main reason for fields being so big: (sub-exponential) index calculus attacks!

  8. DH key exchange (Koblitz-Miller style) If all we need is a group, why not use elliptic curve groups? Rationale: β€œit is extremely unlikely that an index calculus attack on the elliptic curve method will ever be able to work” [Miller, 85]

  9. Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC

  10. Some good references Elliptic Silverman’s talk: β€œAn Introduction to the Theory of Elliptic Curves” curves http://www.math.brown.edu/~jhs/Presentations/WyomingEllipticCurve.pdf Elliptic Sutherland’s MIT course on elliptic curves: curves https://math.mit.edu/classes/18.783/2015/lectures.html ECC Koblitz-Menezes: ECC: the serpentine course of a paradigm shift http://eprint.iacr.org/2008/390.pdf

  11. group (G, + ) can do + βˆ’ ring (R, + , Γ— ) can do + βˆ’ Γ— can do + βˆ’ Γ— Γ· field (F, + , Γ— )

  12. If you’ve never seen an elliptic curve before.... Remember: an elliptic curve is a group defined over a field elliptic curve group ( 𝐹 , βŠ• ) can do βŠ• βŠ– underlying field ( 𝐿 , + , Γ— ) can do + βˆ’ Γ— Γ· operations in underlying field are used and combined to compute the elliptic curve operation βŠ•

Recommend

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views β€’ 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views β€’ 29 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views β€’ 76 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views β€’ 5 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views β€’ 18 slides
Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

491 views β€’ 32 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views β€’ 16 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views β€’ 16 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views β€’ 30 slides
A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March 21 st , 2016 1/13 A Brief Introduction to Elliptic Curve Cryptography Elliptic Curve 2/13 A

385 views β€’ 13 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views β€’ 18 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views β€’ 143 slides
Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S.

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S. Miller IDA Center for Communications Research Princeton, NJ 08540 USA 24 May, 2007 Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May,

1.08k views β€’ 69 slides
Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview Bitcoin Transactions Elliptic Curve Cryptography Introduction Arithmetics Signature Bitcoin, the protocol A blockchain Each

992 views β€’ 52 slides
Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May 19, 2017 university-logo-isi Rana Barua Introduction to Elliptic Curve Cryptography ElGamal Public Key Cryptosystem, 1984 Key Generation: Choose

417 views β€’ 16 slides
Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13,

Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13,

Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13, 2016 Objectives Suite B Cryptography The controversial NSA statement A brief history of ECC (and the NSAs involvement) Why would

351 views β€’ 17 slides
ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown,

ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown,

ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown, BlackBerry CFRG, Prague, 2017 July 18 2y 2 =x 3 +x/GF(8 91 +5) Simplest secure and fast ECC ? Benefits of Galois field size 8 91 +5 for ECC Feature

285 views β€’ 12 slides
The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point

The AGM- X 0 ( N ) Algorithm Heegner point lifting with application to elliptic curve point counting David R. Kohel School of Mathematics and Statistics University of Sydney I Elliptic Curves in Cryptography An elliptic curve E/ F p r for

415 views β€’ 18 slides
Exploiting dummy codes in Elliptic Curve Cryptography Andy Russon 4 June 2020 2/20 About me

Exploiting dummy codes in Elliptic Curve Cryptography Andy Russon 4 June 2020 2/20 About me

Exploiting dummy codes in Elliptic Curve Cryptography Andy Russon 4 June 2020 2/20 About me PhD thesis on elliptic curves Orange, and Universit de Rennes 1 Risk assessment and audit Interest: challenges (root-me, CryptoHack), korean

1.15k views β€’ 54 slides
SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve

SafeCurves: Cryptography choosing safe curves for Public-key signatures: elliptic-curve cryptography e.g., RSA, DSA, ECDSA. Daniel J. Bernstein Some uses: signed OS updates, University of Illinois at Chicago & SSL certificates,

1.85k views β€’ 165 slides
Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on

Elliptic Curves over Q Peter Birkner Technische Universiteit Eindhoven DIAMANT Summer School on Elliptic and Hyperelliptic Curve Cryptography 16 September 2008 What is an elliptic curve? (1) An elliptic curve E over a field k in Weierstra

298 views β€’ 25 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views β€’ 188 slides
Elliptic Curve Cryptography in Bitcoin Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Elliptic Curve Cryptography in Bitcoin Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of

Elliptic Curve Cryptography in Bitcoin Saravanan Vijayakumaran sarva@ee.iitb.ac.in Department of Electrical Engineering Indian Institute of Technology Bombay August 8, 2019 1 / 31 Group Theory Recap Groups Definition A set G with a binary

447 views β€’ 31 slides
Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime

Four Q on FPGA: New Hardware Speed Records for Elliptic Curve Cryptography over Large Prime Characteristic Fields K. Jrvinen 1 , A. Miele 2 , R. Azarderakhsh 3 , and P . Longa 4 1 Aalto University 2 Intel Corporation 3 Rochester Institute of

831 views β€’ 81 slides

More recommend