Unformatted text preview: Elliptic Curve Cryptography Cryptography and Network Security
TECH 6350 Session 6 Elliptic Curve
Cryptography
Manuel Mogollon
[email protected] Graduate School of Management
Information Assurance
University of Dallas 0 Elliptic Curve Cryptography Session 6 – Contents
• Elliptic Curve (EC) Concepts
• Finite Fields
• Selecting an Elliptic Curve
• Cryptography Using EC
• Digital Signature Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 1 M. Mogollon – 01/08  1 1 Elliptic Curve Cryptography What is Elliptic Curve Cryptography?
• elliptic curve cryptography / (abbr. ECC) (1) an encryption
system that uses the properties of elliptic curve and
provides the same functionality of other public key
cryptosystems; (2) A public key crypto system that
provides, bitbybit key size, the highest strength of any
cryptosystem known today. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 2 M. Mogollon – 01/08  2 • ECC is an encryption system that uses the properties of elliptic curves to provide the same
functionality of other publickey cryptosystems such as encryption, key agreements, and digital
signatures. Bitbybit key size, elliptic curve cryptosystem provides the greatest security of any
cryptosystem known today.
• Elliptic curve cryptography was independently introduced in 1985 by Victor Miller and Neal
Koblitz and has become an essential publickey system in electronic banking and financial
institutions. 2 Elliptic Curve Cryptography ECC Applications
• ECC with 160bit key size offers the same level of
security as RSA with 1024bit key size. • Smaller key size provides • Which leads to Storage efficiencies Higher speeds Bandwidth savings Lower power consumptions Computational efficiencies Code size reductions • ECC implementation is beneficial in applications where
bandwidth, processing capacity, power availability, or
storage are constrained. • ECC includes key distribution, encryption, and digital
signatures.
Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 3 M. Mogollon – 01/08  3 • ECC with 160bit key size offers the same level of security as RSA with 1024bit key size.
• The efficiency of an algorithm is measured by the scarce resources it consumes.
• ECC implementation is beneficial in applications where bandwidth, processing capacity, power
availability, or storage are constrained.
• ECC’s smaller key size and unmatched level of security ranks it above other public systems such
as RSA and DSS. ECC’s properties make it a good choice for smart card applications.
• ECC offers similar security to established publickey cryptosystems with reduced key sizes and
is especially useful in applications for which memory, bandwidth, or computational power is
limited.
• ECC includes key distribution, encryption, and digital signatures. 3 Elliptic Curve Cryptography ECC Applications
• Applications requiring intensive publickey operations.
Web servers. • Applications with limited power, computational power,
speed transfer, memory storage, or bandwidth.
Wireless communications
PDAs • Applications rigid constrains on processing power,
parameter storage, and code space.
Smart card and tokens. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 4 M. Mogollon – 01/08  4 • There are several standards for elliptic curve cryptography.
• IEEE P1363 – This standard specifies common publickey cryptographic techniques,
including elliptic curve cryptography.
• ANSI X9 – An ANSIaccredited standards committee for the financial services industry has
developed two elliptic curve standards: ANSI X9.62 for digital signatures and ANSI X9.63
for key agreement and key transport.
• IETF – The OAKLEY Key Determination Protocol RFC 2412 includes elliptic curve groups
over the field F2m. RFC 2412 provides group identifier, GRP, only for elliptic curve groups
over F2155, and F2185.
• FIPS 186.2 – The Digital Signature Standard (DSS) 4 Elliptic Curve Cryptography Elliptic Curves
• Examples of plane curves are:
Lines (2x + y = a)
Conic sections (3x2 + 5y2 = a)
Cubic curves (y2 + xy = x3 + ax2 + b), which include elliptic curves. • Elliptic Curve Cryptography uses plane curves, which
are sets of points satisfying the equation F (x, y) = 0. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 5 M. Mogollon – 01/08  5 • An elliptic curve E, is the set of solutions {x; y} of an equation y2 = f (x), where f (x) = x3 + . . . is
a polynomial of degree three. E is defined over the rational numbers q; that is, the coefficients of
f are in q. Elliptic curves are not ellipses.
• Elliptic curve cryptography uses plane curves, which are sets of points satisfying the equation F
(x, y) = 0. Examples of plane curves are lines (2x + y = a), conic sections (3x2 + 5y2 = a), and
cubic curves (y2 + xy = x3 + ax2 + b), which include elliptic curves. 5 Elliptic Curve Cryptography Finite Fields
• Finite fields are fields that are finite.
• A field is a set F in which the usual mathematical operations
(addition, subtraction, multiplication, and division by nonzero
quantities) are possible; these operations follow the usual
commutative, associative, and distributive laws. • Rational numbers (fractions), real numbers, and complex numbers
are elements of infinite fields. • A discrete logarithm (DL) and elliptic curve (EC) cryptography
schemes are always based on computations in a finite field in which
there are only a finite number of quantities. • For cryptography applications, the finite fields that are usually used
are the field of characteristic (congruences). • The finite field used in DL and EC are the field of prime characteristic Fp and the field of characteristic two F2m. The finite
field is also denoted as GF(q). Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 6 M. Mogollon – 01/08  6 • A field is a set F in which the usual mathematical operations (addition, subtraction,
multiplication, and division by nonzero quantities) are possible; these operations follow the usual
commutative, associative, and distributive laws. Rational numbers (fractions), real numbers,
complex numbers, and the integer modulo n are elements of infinite fields. The mathematical
operations in a field are multiplication and addition, meaning that for them, the additive inverse
is subtraction and the multiplicative inverse is division.
• Finite fields are fields that are finite. Fq denotes a field that has a finite number q of elements.
• Discrete Logarithm Cryptography (DLC), which includes Finite Field Cryptography (FFC) and
Elliptic Curve Cryptography (ECC), requires that the public and privatekey pairs be generated
within a finite field. For cryptography applications, the finite fields that are usually used in ECC
and in FFC are the fields of characteristic Fp and the fields of characteristic two F2m. The finite
field is also denoted as GF(q). 6 Elliptic Curve Cryptography Finite Fields
• Characteristic Prime Finite Fields
The finite field Fp is the prime finite field containing p elements. If p is
an odd prime number, then there is a unique field Fp that consists of
the set of integers
{0, 1, 2 ,..., p – 1}. • Characteristic Two Finite Fields
A characteristic two finite field (also known as a binary finite field) is a
finite field whose number of elements is 2m. If m is a positive integer
greater than 1, the binary finite field F2m consists of the 2m possible bit
strings of length m.
For example, F23 = {000, 001, 010, 011, 100, 101, 110, 111} Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 7 M. Mogollon – 01/08  7 • Characteristic Prime Finite Fields
• The finite field Fp is the prime finite field containing p elements. If p is an odd prime number, then there
is a unique field Fp that consists of the set of integers {0, 1, 2, ..., p – 1} with the following arithmetic
operations:
• Addition: If , a , b ∈ F p then a + b ≡ r mod p
• Multiplication: If , a, b ∈ F p then a * b ≡ r mod p
• Inversion: If a is a nonzero element in Fp, the inverse of a modulo p, denoted as a1, is the unique
integer c ∈ F p for which . a * c ≡ 1 mod p
• Characteristic Two Finite Fields
• A characteristic two finite field (also known as a binary finite field) is a finite field whose number of
elements is 2m. If m is a positive integer greater than 1, the binary finite field F2m consists of the 2m
possible bit strings of length m.
• Thus, for example, F23 = {000, 001, 010, 011, 100, 101, 110, 111}. The integer m is the degree of the
field.
• A way to represent the elements of F2 m is by the set of binary polynomials of degree m: {am −1 x m −1 + am − 2 x m − 2 + .......... + a1 x + a0 : ai ∈ {0,1}} • The following operations are defined in the elements of :
F2 m
• Addition: . This is equivalent to bitwise exclusive OR (XOR).
• Multiplication: Multiplication is done using polynomials.
For example, if f(x) = x4 + x + 1, a = x3 + x2 + 1, and b = x3 + 1,
then, r = a * b = (x3 + x2 + 1) * ( x3 + 1 ) = x6 + x5 + x2 + 1 mod (x4 + x +1) = x3 + x2 + x + 1
• Inversion: If a is a nonzero bit stream element in F m , the inverse of a, denoted as a1, is the unique
2
integer c ∈ F m for which a * c ≡ 1 .
2 7 Elliptic Curve Cryptography Group Fields in EC
• There are two essential properties of group fields when
they are used in elliptic curve cryptography:
A group should have a finite number of points. An elliptic curve has
infinite number of points, but an elliptic curve over Fq has a finite
number of elements.
The operation that is used should be easy to compute but very difficult
and time consuming to reverse. • The scalar integer multiplication of an elliptic curve
point, P, which is defined as the repeated addition of the
point with itself, Q = kP, is an operation that is easy to
compute but very difficult and time consuming to
reverse. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 8 M. Mogollon – 01/08  8 8 Elliptic Curve Cryptography Elliptic Curve Equations
• There are several ways of defining equations for elliptic
curves, but the most common are the Weierstrass
equations. • ECC may be implemented over Fq, where q is an odd
prime p, or 2m. • If ECC is implemented over Fp, the following equation is
used: y 2 = x 3 + ax + b • If ECC is implemented over F2m, the following equation is
used: Elliptic Curve y 2 + xy = x 3 + ax 2 + b
EC Arithmetic EC Points EC Public Key EC Cryptography 9 M. Mogollon – 01/08  9 • There are several ways of defining equations for elliptic curves, but the most commonly used are
the Weierstrass equations. The following elliptic curves over the field of rational numbers are
nonsingular cubic curves in Weierstrass form with rational coefficients:
y 2 + xy = x 3 + ax 2 + b and
y 2 = x 3 + ax + b
• In cryptography, the elliptic curves of interest are those defined over finite fields. That is, the
coefficients of the defining equation F (x, y) = 0 are elements of Fq, and the points on the curve
are of the form P = (x, y), where x and y are elements of Fq .
• An elliptic curve E defined over Fq is a set of points P = (xP, yP), where xP and yP are elements of
Fq that satisfy a certain equation, together with the point at infinity denoted by O.
• Elliptic curves are specified by two field elements, a ∈ Fq and, b ∈ Fq called the coefficients of
E.
• The field elements xP and yP are called the xcoordinate of P and the ycoordinate of P,
respectively.
• Fq could be of the form Fp, which is the finite field containing q = p elements, where p is a prime
and m is a positive integer, or F2m which is the finite field containing q = 2m elements. 9 Elliptic Curve Cryptography Elliptic Curve Arithmetic
Point Addition in Fp
• The group law is defined by P + Q – R = 0; therefore, P + Q = R, where the negative
of the point R(x, y) is the point R (x, –y). • Given two points on the curve P and Q, the line through them meets the curve at a
third point R. The reflection of R gives the point R, which is equal to P + Q. • The tangent line through P gives the point – R.
E: y2 = x3  9x + 6 E: y2 = x3  9x + 6 R
P (0.0, 2.45)
Q (3.24, 1.17)
R (4.49, 7.47)
R (4.49, 7.49)
P + Q = R = (4.49, 7.49) P P (0.0, 2.45)
R (3.38, 3.76)
R (3.38, 3.76)
2P = R = (3.38, 3.76)
R
P Q
R R Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 10 M. Mogollon – 01/08  10 10 Elliptic Curve Cryptography Elliptic Curve Arithmetic
• Doubling a Point in Fp
Provided that y P ≠ 0
then,
where P ( x P , yP ) + P ( x P , yP ) = R ( x R , yR )
x R ≡ λ 2 − 2 x P mod p y R ≡ λ ( x P − x R ) − y P mod p
and λ≡ 2 (3 x P + a )
mod p
(2 y P ) λ is the slope of the line through P(xP , yP). Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 11 M. Mogollon – 01/08  11 • The addition of two points is similar to the addition of two points in plane geometry. 11 Elliptic Curve Cryptography Elliptic Curves Arithmetic
• Point Addition in Fp
Similar to the addition of two points in plane geometry. For
then, P ( x P , yP ) + Q ( xQ , yQ ) = R ( x R , yR )
where P ≠ ±Q x R ≡ λ 2 − x P − x Q mod p y R ≡ λ ( x P − x R ) − y P mod p and λ≡ ( yQ − y P )
( xQ − x P ) mod p λ is the slope of the line through P(xP , yP) and Q(xQ , yQ ). Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 12 M. Mogollon – 01/08  12 12 Elliptic Curve Cryptography Elliptic Curve Arithmetic
Point Addition in Fp • Adding P to P. E: y2 = x3  9x + 6 P (1.85, 4.05)
P (1.85, 4.05)
P + (P) = O, the
point at infinity P P Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 13 M. Mogollon – 01/08  13 13 Elliptic Curve Cryptography EC Points Points in the Elliptic Curve
y^2 = x^3 + x + 1 (mod 23)
24
22
20
18
16
14
12
10
8
6
4
2
0
0 2 4 6 8 10 12 14 16 18 20 • The points are symmetric because
in elliptic curves, for every point P,
there must exist another point –P. • The point P(0, 1) generates a
maximal subgroup because it
generates the maximum number of
points, 28 (27 plus the point at
infinity). • The curve order is 28 and is
denoted as #E(Fp).
Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 14 M. Mogollon – 01/08  14 • It is possible to add a point to itself, but there will be a time when adding the point to itself results
in O = kP, the point at infinity. 14 Elliptic Curve Cryptography Point and Curve Order
• For any point in y2 = x3 + x + 1 (mod 23), the value of k such that kP = O
is not always the same. The order of points varies; it can be 28, 14, 7 or
4.
See next slide • The maximum point order is the curve order.
Point Order Point Order Point Order Point Order (0,1) 28 (9,16) 28 (7,11) 14 (13,16) 7 (0,22) 28 (18,3) 28 (7,12) 14 (17,3) 7 (1,7) 28 (18,20) 28 (12,4) 14 (17,20) 7 (1,16) 28 (19,5) 28 (12,19) 14 (11,3) 4 (3,10) 28 (19,18) 28 (5,4) 7 (11,20) 4 (3,13) 28 (6,4) 14 (5,19) 7 (4,0) 1 (infinity) (9,7) 28 (6,19) 14 (13,7) 7 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 15 M. Mogollon – 01/08  15 • The repeated addition of a point to itself, scalar multiplication, generates a new point, Q = kP;
however, there is always a time when adding the point to itself results in O = kP, the point at
infinity. The order of a point P is the smallest positive number k such that kP = O.
• When the point P(0, 1) in E F(23): y2 = x3 + x + 1 is added to itself, the order of the point
P(0,1) is 28, which is the smallest positive number k such that kP = O. The generated points are
27, plus the point at infinity for a total of 28.
• If the order of a point is the maximum, in this case 28, then it is called the curve order and is
denoted as #E(Fq). The order of any point is always a factor of the curve order, #E(Fp ). In this
example, the point orders 14, 7, and 4 are factors of 28.
Hasse’s Theorem, states that the number of points in E(Fq), is in the range p + 1 − 2 p ≤ # E ( Fq ) ≤ p + 1 + 2 p
• According to Koblitz, René Schoof developed an algorithm to calculate the number of points in
E(Fq); this algorithm has been improved by V. Miller, N. Elkies, J. Buchmann, V. Muller, A.
Meneses, L. Charlap, R. Coley and D. Robbins.
• The table above shows the order of a point for each possible starting point in the equation E
F(23): y2 = x3 + x + 1. This is similar to shift registers, not all starting positions will produce a
maximum length.
• In cryptography, when selecting an elliptic curve starting point, you want to select a point that
when add it to itself it will generates the maximum number of points before reaching the point at
infinite. 15 Elliptic Curve Cryptography Point Order Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 16 M. Mogollon – 01/08  16 • In the example above, the point P(7,11) only generates 14 points instead of the maximum 28
points. 16 Elliptic Curve Cryptography Selecting an EC for Cryptography
• There are several procedures to select an elliptic curve for cryptographic purposes.
The following are some of the criteria:
Select a large prime number, p, to be used as the module.
Select the coefficients a and b randomly and define E Fp: y2 = x3 + ax + b.
Calculate the curve order #E(Fq).
Check that #E(Fq) is divisible by a large prime number.
Check that the largest prime divisor of #E(Fq) does not divide qk  1 for k = 1, 2, 3, ……<large
limit>. • Another way to select the elliptic curve is by selecting the curve order first:
Select a large prime number, p, to be used as the module.
Select the curve order, #E(Fp), such that p + 1 − 2 p ≤ # E ( Fq ) ≤ p + 1 + 2 p
Check that #E(Fp) is divisible by a large prime number, r.
Check that r does not divide pv1 for v = 1, 2, 3, ……10.
Use the AtkinMorain algorithm to find parameters a and b in Fp such that the elliptic curve E has an
order of #E(Fp).
Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 17 M. Mogollon – 01/08  17 • When selecting an elliptic curve for cryptography, you have to select first the type of curve.
Either Fp or F2m
• For Fp, use the Weierstrass equation
2
3 y = x + ax + b • For F2m , use the Weierstrass equation y 2 + xy = x 3 + ax 2 + b • Organizations go through the process mentioned above and come out with recommended elliptic
curves suitable for cryptography.
• NIST (Federal Information Processing Standards (FIPS), 2000) recommends a certain set of
elliptic curves for government use. This set of curves can be divided into two classes: curves over
a prime field Fp and curves over a binary field F2m . The curves over Fp are of the form y2 = x3 –
3x + b with b random, while the curves over F2m are either of the form y2 + xy = x3 + x2 + b with
b random or Koblitz curves. A Koblitz curve has the form y2 + xy = x3 + ax2 + 1 with a = 0 or 1. 17 Elliptic Curve Cryptography Selecting a Generator Point
• Select a random point G on
E(Fp) and a large prime
number n that divides #E(Fp). • Check that the nG = O, n being
the point order.
The size of the odd prime
modulus in bits is 15 Curve generated using Cryptomathic on line
generator at
http://www.cryptomathic.com/Default.aspx?ID=
477 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 18 M. Mogollon – 01/08  18 18 Elliptic Curve Cryptography Discrete Logarithmic Problem
• In the multiplicative group Zp* discrete logarithm (DiffieHellman,
ElGamal, DSS), the following is the discrete logarithm problem:
Given elements y and x of the group, and a prime p, find a number k such
that y = xk mod p.
For example, if y = 2, x = 8, and p = 341, then find k such that 2 ≡ 8k mod
341.
In the DiffieHellman discrete logarithm, y is the public key, g is a large
random number, p is the modulo, and k is the private key that the
cryptanalyst is trying to find out. Which one is the correct Private Key?
Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 19 M. Mogollon – 01/08  19 • • • • There are two essential properties of group fields when they are used in elliptic curve
cryptography:
1. A group should have a finite number of points. An elliptic curve has an infinite number of
points, but an elliptic curve over Fq has a finite number of elements.
2. The operation that is used should be easy to compute but very difficult and time consuming
to reverse.
Publickey systems use large finite group properties. For DiffieHellman, ElGamal, DSS, and
RSA, the security depends directly on the relative difficulty of performing two group
operations: discrete logarithms and exponentiation.
In the multiplicative group Zp* discrete logarithm (DiffieHellman, ElGamal, DSS), the
following is the discrete logarithm problem: given elements y and x of the group, and a prime p,
find a number k such that y = xk mod p.
For example, if y = 2, x = 8, and p = 341, then find k such that 2 ≡ 8k mod 341. In the DiffieHellman discrete logarithm, y is the public key, g is a large random number, p is the modulo,
and k is the private key that the cryptanalyst is trying to find out. If the modulo were not
included, it would be easy to solve k by finding logx y, but when the modulo is included, the
logarithm has a different but analogous meaning. This type of logarithm is called discrete to
distinguish it from the classical logarithm. 19 Elliptic Curve Cryptography EC Discrete Logarithmic Problem
• Given an elliptic curve a point P ∈ E ( Fp ) of an order
n, and a point Q ∈ E ( Fp ), determine the integer
k, 0≤ k ≥ n1, such that Q = kP, provided that such
integer k exists.
E ( F p ), • Q is the public key and k is the private key.
• The scalar integer multiplication of an elliptic curve
point, P is defined as the process of adding P to itself k
times. Q = kP is analogous to exponentiation in a
discrete logarithm cryptosystem, i.e., it is an operation
that is easy to compute but very difficult and time
consuming to reverse. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 20 M. Mogollon – 01/08  20 20 Elliptic Curve Cryptography Elliptic Curve PublicKey Cryptography
• The scalar integer multiplication
of an elliptic curve point, P is
defined as the process of adding
P to itself k times. Q = k P. • When the point (0,1) is added to
itself 13 times the result is the
point (9, 16). • Q = k P = 13 * (0,1) = (9,16)
• Select
Q = Public Key = (9,16)
k = Private Key = 13 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 21 M. Mogollon – 01/08  21 • Elliptic Scalar Multiplication
• The elliptic scalar integer multiplication of an elliptic curve point, P, is defined as the process of
adding P to itself k times. This operation is analogous to exponentiation in finite field
cryptography. 21 Elliptic Curve Cryptography Brute Force Attack
• There is not a known algorithm
to attack ECC • Brute force attack
Starting with point (0,1), add (0,1)
to itself until (9,16) is found.
Stop when Q = d P = (9, 16)
The size of the odd prime
modulus in bits is 5. The order of the base point is 28
It would take a system doing a
million addition/sec, 14
microseconds to try 50% of all
possible points. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 22 M. Mogollon – 01/08  22 • NASA’s Advanced Supercomputing (NAS) Division technical report, A Survey of Elliptic Curve
Cryptosystems (Vo, 2003), states that there is no known successful attack of subexponential
time for the ECDLP and lists several of the exhaustive search (brute force) attacks. The most
efficient general algorithms to resolve the ECDLP are Pollardρ and Pollardλ. Pollardρ takes
π n / 2 steps; each step is an elliptic curve addition. According to Certicom SEC1, Pollardλ
takes 2 n steps; according to ANSI X.62, states that Pollard λ takes 3.28 n . Pollardρ has
been improved to require only steps π n / 4 . Both methods can be parallelized so that if r
processors are used, then the expected number of steps is divided by r. In order to avoid an
exhaustive search, n should be greater than 2160.
• For a computer able to do 1 million point additions per second,
Field size
Size of n
Years to
π n/4
(in bits)
(in bits)
Additions
Break
163
160
1.07 * 1024
3.39*1011
191
186
8.77 * 1027
2.78*1015
239
234
1.47 * 1035
4.66*1022
359
354
1.69 * 1053
5.36*1040
64
431
426
1.16 * 10
3.68*1051 22 Elliptic Curve Cryptography Brute Force Attack
• There is not a known algorithm
to attack ECC • Brute force attack
Starting with point P, add P to
itself until Q is found.
Stop when kP = Q
The size of the odd prime
modulus in bits is 161.
Equivalent to RSA 1024 The order of the base point is
1.73*1046
It would take a system doing a
million addition/sec (3.15*1018
additions/year) 1032 years to try
50% of all possible points. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 23 M. Mogollon – 01/08  23 • Figure above shows the parameters of an elliptic curve with a 161bit module generated at
Cryptomathic’s Web site. The order of the curve n is equal to 1.73 * 1046, meaning that the base
point (x, y) can be added to itself: k = 1.73 * 1046 before kP = O. If the Pollardρ algorithm is
used, it is necessary to check = 1.16 * 1023 additions to break the encryption.
For a computer able to do 1 million point additions per second,
Field size
Size of n
π n/4
(in bits)
(in bits)
Additions
163
160
1.07 * 1024
191
186
8.77 * 1027
239
234
1.47 * 1035
359
354
1.69 * 1053
431
426
1.16 * 1064 Years to
Break
3.39*1011
2.78*1015
4.66*1022
5.36*1040
3.68*1051 23 Elliptic Curve Cryptography Breaking the Code
April 27, 2004
Certicom Corp. (TSX: CIC), the authority for strong,
efficient cryptography, today announced that Chris
Monico, an assistant professor at Texas Tech University,
and his team of mathematicians have successfully
solved the Certicom Elliptic Curve Cryptography (ECC)
109bit Challenge. The effort required 2600 computers
and took 17 months. For comparison purposes, the
gross CPU time used would be roughly equivalent to
that of an Athlon XP 3200+ working nonstop for about
1200 years. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 24 M. Mogollon – 01/08  24 • • In 1997, Certicom challenged the crypto community to break
1. Randomly generated curves over F p , where p is prime: ECCp79, ECCp89, ECCp97,
ECCp109, ECCp131, ECCp163, ECCp191, ECCp239, and ECCp359.
2. Randomly generated curves over F2 m , where m is prime: ECC279, ECC289, ECC297,
ECC2109, ECC2131, ECC2163, ECC2191, ECC2238, and ECC2 353.
3. Koblitz curves over F2 m , where m is prime: ECC2K95, ECC2108, ECC2130, ECC2163, ECC2238, and ECC2358.
Certicom announced in 2004 that Chris Monico, an assistant professor at Texas Tech
University, and his team of mathematicians successfully solved Certicom Elliptic Curve
Cryptography (ECC)2 109bit (field characteristic 2) challenge. The effort required 2600
computers and took 17 months. Professor Monico also successfully solve in 2002 Certicom
ECCp109 (prime field) challenge. 24 Elliptic Curve Cryptography Public Key Systems Key Size Comparisons
Blake, Seroussi, and Smart (1999, p9)
compared the two algorithms known to
break ECC and discrete algorithms.
Simplifying the formulas and making several
approximations, they arrived at the following
formula comparing keylength for similar
levels of security: n = β N 1 / 3 (log ( N log 2)) 2 / 3
where β ≈ 4.91. The parameters n and N
are the “key sizes” of ECC and DL
cryptosystems.
Minimum Size of Public keys (Bits) Security
(Bits) Symmetric
Encryption
Algorithm Hash
Algorithm
SHA1 80 SKIPJACK 112 3DES 128 AES128 DiffieHellman and RSA
Modulus Size ECC 1024 2048
SHA256 1024 2048 160
224 3072 3072 256 192 Elliptic Curve AES192 SHA384 7680 7680 384 256 AES256 SHA512 15360 15360 512 EC Arithmetic EC Points EC Public Key EC Cryptography 25 M. Mogollon – 01/08  25 • ECC requires smaller key size in order to offer the same level of security as the RSA.
• For this reason, it is generally accepted that it could be used in smaller devices such as cell
phones and PDAs where processor speed is a premium. 25 Elliptic Curve Cryptography Elliptic Curve
Cryptography Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 26 M. Mogollon – 01/08  26 26 Elliptic Curve Cryptography Domain Parameters
• Parties using elliptic curve cryptography need to share certain
parameter, the “Elliptic Curve Domain Parameters”. • The EC domain parameters may be public; the security of the system
does not rely on these parameters being secret. • The domain consists of six parameters which are calculated differently
for Fp and F2m . It precisely specify an elliptic curve and base point. • The six domain parameters are the following:
T = (q; FR; a, b; G; n; h), in which,
q
Defines the underlying finite field Fq. The field size is defined by the
module, so, q = p or q = 2m ; p>3 should be a prime number.
FR Field representation of the method used for representing field elements in
∈ Fq , either E ( F p ) or E ( F2 m ) .
a, b The coefficients defining the elliptic curve E, elements of Fq.
G A distinguished point, G=(xG ,yG), on an elliptic curve called the base point
or generating point defined by two field elements xG and yG in Fq.
n
The order of the base point G.
h
Called the cofactor, h = #E(Fq)/n, where n is the order of the base point G.
h is normally a small number.
Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 27 M. Mogollon – 01/08  27 • When two parties are going to use elliptic curve cryptography, there are several parameters on
which they should agree, either because they were selected by them or by a third party, such as
NIST (Federal Information Processing Standards (FIPS), 2000) or by Certicom (Standards for
Efficient Cryptography Group (SECG), 2000b). Those parameters are called the Elliptic Curve
Domain Parameters.
• The elliptic curve domain parameters determine the arithmetic operations involved in the publickey cryptographic schemes, Fp and F2m . The domain consists of six parameters which are
calculated differently for Fp and F2m, and which precisely specify an elliptic curve and base
point.
• The domain parameters represent an elliptic curve E and a designated point G on E called the
base point. The base point has order n, a large prime. The number of points on the curve is
#E(Fq) = h . n for some integer h (the cofactor) not divisible by n. For efficiency reasons, it is
desirable to make the cofactor as small as possible. 27 Elliptic Curve Cryptography ECC Cryptography
• Encryption
EC Integrated Encryption Scheme (ECIES)
– Variant of ElGamal publickey encryption
– Proposed by Bellare and Rogaway
– Variant of ElGamal publickey encryption schme
– ANSI X9.63, ISO/IEC 159463, and IEEE P1363a draft
Provably Secure Encryption Curve (PSEC)
– Fujisaki and Okamoto
– Evaluated by NESSIE and CRYPTREC • Key Exchange
StationtoStation Protocol
– Diffie, van Oorschot, and Wiener
– Discrete logarithmbase key agreement
– ANSI X9.63
ECMQV
– Meneses, Qu, and Vanstone
– ANSI X9.63, IEEE 13632000, and ISO/IEC 159463 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 28 M. Mogollon – 01/08  28 28 Elliptic Curve Cryptography ECC Cryptography
• Digital Signature
Elliptic Curve Digital Signature Algorithm (ECDSA)
– Analog to the Digital Signature Algorithm (DSA)
– Secure Hash Algorithm (SHS1)
– ANSI X9.62, FIPS 1862, IEEE13632000 and ISO/IEC 159462
EC Korean Certificatebased Digital Signature Algorithm (ECKCDSA)
– Lim and Lee
– ISO/IEC 159462. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 29 M. Mogollon – 01/08  29 29 Elliptic Curve Cryptography Key Generation
• The public and private keys of an entity A are associated with a particular set of elliptic curve domain parameters (q; FR; a; b; G; n;
h). To generate a key pair, entity Alice does the following:
Selects a random or pseudorandom integer d in the interval [1, n  1].
Computes Q = d * G.
Has Q as public key, PubA, and d as private key, PrivA.
Checks that xG and yG are elements of the elliptic curve equation by
2
3
2
3
calculating yQ ≡ xQ + axQ + b mod p or yQ + xQ yQ = xQ + axQ + b in F2 .
m • Example:
For E(F23): y2 = x3 + x + 1, #E(F23) =28. Then, n=7, since n should be a prime
factor of 28.
The cofactor h is equal to 28 / 7 = 4.
A point with an order of 7 should be selected.
The point G could be (5, 19), one of several points with n = 7. The domain
parameter T = (p; a; b; G; n; h) is T = [23; 1; 1; (5,19); 7, 4 ].
Select d = 4, so Q = 4 (5, 19). (13, 16).
Alice’s public key is PubA = Q = (13, 16) and her private key is PrivA = 4.
Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 30 M. Mogollon – 01/08  30 • Slide 15 shows all the points in the curve y2 = x3 + x + 1 (mod 23) with their point orders. Since
n should be a prime factor of #E(F23), then a point with an order of 7 should be selected. The
cofactor h is equal to 28 / 7 = 4. 30 Elliptic Curve Cryptography ECC ElGamal Encryption
Alice Bob • Let T = (p; a; b; G; n; h) and
Pub A ≡ Priv A ∗ G mod p be T and PubA do not
need to be secret. Alice’s public key. • Bob selects a random number
as his private key and generates
his public key using the same
elliptic curve and G point. • Bob enciphers the message, M, • Alice deciphers the message by
Multiplying her private key PrivA
by (PrivB . G). CM, PubB Subtracting the above result
from M + PrivB . PubA. by doing
CM = [{PrivB* G}, {M + PrivB*PubA }] • Bob sends his PubB and cipher
message to Alice. CM = [{PrivB* G}, {M + PrivB*PubA }]
M = {M + PrivB * PubA } – { PrivA * PrivB * G}
Since PubA = PrivA * G, then,
M = {M + PrivB * (PrivA . G)} – { PrivA * (PrivB * G)} = {M}
Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 31 M. Mogollon – 01/08  31 31 Elliptic Curve Cryptography ECC ElGamal Encryption
Alice
• Let T = [p; a; b; G; n; h)
T = [23; 1; 1; (5,19); 7; 4 ] and
select 6 as the PrivA,
Pub A ≡ 6 ∗ (5, 19) mod 23 Bob
T and PubA do not
need to be secret Multiplying her private key 6 by (17,
20) = (17, 3).
Subtracting the above result from
(1, 0)
M = (1, 0) – (17, 3)
M = (1, 0) + (17, 3) = (8, 20) • The message is the point (8,20).
• Bob enciphers the message by Pub A ≡ (5, 4) mod 23
as the public key. • Alice deciphers the message by • Bob selects 5 as his private key. CM = [{PrivB* G}, {M + PrivB*PubA }]
CM, PubB CM = [{5*(5, 19)}, {(8, 20) + 5* (5, 4)}] • Bob sends his PubB and cipher
message
CM = [(17, 20), (1,0)] to Alice. Note: 6 * (5,19) mod 23 is not (6*5, 6*19) mod 23, but the addition of point
(5,19) six times to itself. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 32 M. Mogollon – 01/08  32 32 Elliptic Curve Cryptography DiffieHellman Key Exchange System
Sender and receiver agree on the
same domain parameters.
T = (p; a; b; G; n; h), does
not need to be secret. Alice T = (p; a; b; G; n; h)
PrivB = Random large
prime integer T = (p; a; b; G; n; h)
PrivA = Random large
prime integer Pub A ≡ Priv A ∗ G mod p Bob PubA PubB PubB ≡ Priv B ∗ G mod p ZZ ≡ Pub A ∗ Priv B ZZ ≡ PubB ∗ Priv A Alice and Bob convert the shared secret value z to an octet string Z
and use Z as the shared secret key for symmetric encryption
algorithms to secure their communications.
Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 33 M. Mogollon – 01/08  33 • In a key agreement scheme, each party combines his own private key with the other party’s
public key to come up with a secret key, which will later be used in a symmetric cryptosystem.
The IEEE P1363 (2007) calls this procedure DL/ECKASDH1, the Discrete Logarithm and
Elliptic Curve Key Agreement Scheme, DiffieHellman, but it is also known as ECDH and
ECDHE (Ephemeral). 33 Elliptic Curve Cryptography DiffieHellman Key Exchange System Bob Alice T = [23; 1; 1; (5,19); 7; 4 ] T = [23; 1; 1; (5,19); 7; 4 ] PubB ≡ 2 ∗ (5, 19 ) mod 23 ≡ (17, 23) mod 23 Pub A ≡ 6 ∗ (5, 19) mod 23 ≡ (5, 4) mod 23 Pub A ≡ Priv A ∗ G mod p PubA PubB PubB ≡ Priv B ∗ G mod p z ≡ PubB ∗ Priv A z ≡ Pub A ∗ Priv B z ≡ (17, 3) ∗ 6 mod 23 ≡ (17, 20) mod 23 z ≡ (5, 4) ∗ 2 mod 23 ≡ (17, 20) mod 23 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 34 M. Mogollon – 01/08  34 34 Elliptic Curve Cryptography ECCDSA Signature Generation
Alice • T = (p; a; b; G; n; h) and
Pub A ≡ Priv A ∗ G mod p Bob
T and PubA do not
need to be secret. is Alice’s public key. • Selects a random integer Verifies Alice’s signature
(r, s) on the message m as
follows: • Computes H(m) and k ∈ [2 , n − 2] c ≡ s −1 mod n • Computes
k * G = ( x1 , y1 ) (r, s) r ≡ x1 mod n • Computes
u1 ≡ H (m ) * c mod n u2 ≡ r * c mod n • Computes
−1 k mod n • Computes • Computes ( x0 , yo ) = u1 * G + u2 * PubA s = k −1 {H ( m ) + Priv A * r} mod n v ≡ x0 mod n • The signature for the
message m is the pair of
integers (r, s).
Elliptic Curve EC Arithmetic • Accepts the signature if v = r.
EC Points EC Public Key EC Cryptography 35 M. Mogollon – 01/08  35 35 Elliptic Curve Cryptography ECCDSA Signature Generation
Alice Bob • Let T = [23; 1; 1; (5,19); 7; 4 ] and
Pub A ≡ 6 ∗ (5, 19) mod 23 ≡ (5, 4) mod 23 • Select k = 3
• Compute ( x1 , y1 ) = k . G = 3 . (5, 19 ) = (13, 7)
r ≡ 13 mod 7 ≡ 6 mod 7 k −1 mod n
mod 7 ≡ − 2 mod 7 ≡ 5 mod 7 • Compute
3 −1 • Compute
s = k −1 {H ( m ) + Priv A . r} mod n
s ≡ 5 (8 + 6 * 6) mod 7 ≡ 220 mod 7 ≡ 3 mod 7 • The signature for the message m
is the pair of integers (r, s), (6, 3). Bob verifies Alice’s signature
(6, 3) on the message m as follows:
• Compute H(m) and c ≡ s −1 mod n
c ≡ 3−1 mod 7 ≡ − 2 mod 7 ≡ 5 mod 7
u1 ≡ H ( m ) * c mod n
• Compute
u2 ≡ r * c mod n
u1 ≡ 8 * 5 mod 7 ≡ 5 mod 7
u2 ≡ 6 * 5 mod 7 ≡ 2 mod 7 • Compute ( x0 , yo ) = u1 * G + u2 * PubA
( x0 , yo ) = 5 * (5, 19) + 2 * (5, 4)
( x0 , yo ) = (17, 20) + (17, 20) = (13, 7) • Compute v ≡ x0 mod n = 13 mod 7 ≡ 6 mod 7 • Accept the signature because
v = 6 mod 7 = r . Elliptic Curve EC Arithmetic In this example, H(m) = 8
EC Points
EC Public Key EC Cryptography 36 M. Mogollon – 01/08  36 36 Elliptic Curve Cryptography Cipher Suite
• There are many algorithms that can be used for encryption, key
exchange, message digest, and authentication; the level of security for
each of these algorithms varies. Establishing a connection between two
entities requires that they tell each other what crypto algorithms they
understand. Normally one of the entities involved in the communication
proposes a list of algorithms, and the other entity selects the algorithms
supported by both. The selected algorithms may not have matching
levels of security, reducing the overall security of the communication. • A cipher suite is a collection of cryptographic algorithms that matches the
level of security of all the algorithms listed in the cipher suite. To enable
secure communications between two entities, they exchange information
about which cipher suites they have in common, and they then use the
cipher suite that offers the highest level of security. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 37 M. Mogollon – 01/08  37 • There are many algorithms that can be used for encryption, key exchange, message digest, and
authentication; the level of security for each of these algorithms varies. Establishing a connection
between two entities requires that they tell each other what crypto algorithms they understand.
Normally one of the entities involved in the communication proposes a list of algorithms, and the
other entity selects the algorithms supported by both. The selected algorithms may not have
matching levels of security, reducing the overall security of the communication.
• A cipher suite is a collection of cryptographic algorithms that matches the level of security of all
the algorithms listed in the cipher suite. To enable secure communications between two entities,
they exchange information about which cipher suites they have in common, and they then use the
cipher suite that offers the highest level of security.
• At the 2005 RSA conference, NSA introduced a common set of elliptic curve cryptographic
algorithms for hashing, digital signatures, and key exchanges with the intention of protecting
both classified and unclassified national security systems and information. NSA’s goal in
introducing Suite B EC Cryptographic Algorithms was to provide a common set of elliptic
curves to developers of commercial products to design products that would be used both in
government and commercially. NSA proposed that Suite B Cryptography include specific
algorithms for Encryption, Key Exchange, Hashing, HMAC, and Galois Counter ModeBased. 37 Elliptic Curve Cryptography To Probe Further
• Hankerson, D., Meneses, A., Vanstone S. (2004). Guide to Elliptic Curve Cryptography. New York:
SpringerVerlag. • Blake, I., Seroussi G., Smart, N. (1999). Elliptic Curves in Cryptography. Cambridge, United Kingdom:
Cambridge University Press. •
• Rosing, M. (1999). Implementing Curve Cryptography. Greenwich, CT: Manning Publications.
Lopez, J., Dahab, R., An overview of Elliptic Curve Cryptography, Institute of computting , State
University of Campinas, sao Paulo Brazil, may 2, 2000. (Retrieved September 26, 2003 from
http://citeseer.nj.nec.com/lop00overview.html) • Brown, M., Cheung, D., Hankerson, D., Lopez, J., Kirkup, M., Menezes, A., PGP in Constrained Wireless
Devices, Proceedings of the 9th USENIX Security Symposium, August 2000. • Certicom Research, Standard for Efficient Cryptograph (SEC 1): Elliptic Curve Cryptograph, September
20, 2000. (Retrieved September 26, 2003 from http://www.secg.org/secg_docs.htm) • Certicom Research, Current PublicKey Crypto Systems, April 1997. (Retrieved on September 20, 2000
from ) • Cryptomathic, Ellipt Curve Online Key Generation at
http://www.cryptomathic.com/labs/ellipticcurvedemo.html#KeyGeneration •
• Certicom Elliptic Curve Tutorial at http://www.certicom.com/index.php?action=ecc,ecc_tutorial
IEEE P1363, Standard Specifications for Public key Cryptography, draft 2000 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 38 M. Mogollon – 01/08  38 38 ...
View
Full Document
 Spring '10
 Mogollon
 Cryptography, Prime number, Publickey cryptography, Elliptic Curve, Elliptic curve cryptography

Click to edit the document details