session_06_elliptic_curve_cryptography_092608

session_06_elliptic_curve_cryptography_092608 - Elliptic...

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Elliptic Curve Cryptography Cryptography and Network Security TECH 6350 Session 6 Elliptic Curve Cryptography Manuel Mogollon m_mogollon@verizon.net Graduate School of Management Information Assurance University of Dallas 0 Elliptic Curve Cryptography Session 6 – Contents • Elliptic Curve (EC) Concepts • Finite Fields • Selecting an Elliptic Curve • Cryptography Using EC • Digital Signature Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 1 M. Mogollon – 01/08 - 1 1 Elliptic Curve Cryptography What is Elliptic Curve Cryptography? • elliptic curve cryptography / (abbr. ECC) (1) an encryption system that uses the properties of elliptic curve and provides the same functionality of other public key cryptosystems; (2) A public key crypto system that provides, bit-by-bit key size, the highest strength of any cryptosystem known today. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 2 M. Mogollon – 01/08 - 2 • ECC is an encryption system that uses the properties of elliptic curves to provide the same functionality of other public-key cryptosystems such as encryption, key agreements, and digital signatures. Bit-by-bit key size, elliptic curve crypto-system provides the greatest security of any cryptosystem known today. • Elliptic curve cryptography was independently introduced in 1985 by Victor Miller and Neal Koblitz and has become an essential public-key system in electronic banking and financial institutions. 2 Elliptic Curve Cryptography ECC Applications • ECC with 160-bit key size offers the same level of security as RSA with 1024-bit key size. • Smaller key size provides • Which leads to Storage efficiencies Higher speeds Bandwidth savings Lower power consumptions Computational efficiencies Code size reductions • ECC implementation is beneficial in applications where bandwidth, processing capacity, power availability, or storage are constrained. • ECC includes key distribution, encryption, and digital signatures. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 3 M. Mogollon – 01/08 - 3 • ECC with 160-bit key size offers the same level of security as RSA with 1024-bit key size. • The efficiency of an algorithm is measured by the scarce resources it consumes. • ECC implementation is beneficial in applications where bandwidth, processing capacity, power availability, or storage are constrained. • ECC’s smaller key size and unmatched level of security ranks it above other public systems such as RSA and DSS. ECC’s properties make it a good choice for smart card applications. • ECC offers similar security to established public-key cryptosystems with reduced key sizes and is especially useful in applications for which memory, bandwidth, or computational power is limited. • ECC includes key distribution, encryption, and digital signatures. 3 Elliptic Curve Cryptography ECC Applications • Applications requiring intensive public-key operations. Web servers. • Applications with limited power, computational power, speed transfer, memory storage, or bandwidth. Wireless communications PDAs • Applications rigid constrains on processing power, parameter storage, and code space. Smart card and tokens. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 4 M. Mogollon – 01/08 - 4 • There are several standards for elliptic curve cryptography. • IEEE P1363 – This standard specifies common public-key cryptographic techniques, including elliptic curve cryptography. • ANSI X9 – An ANSI-accredited standards committee for the financial services industry has developed two elliptic curve standards: ANSI X9.62 for digital signatures and ANSI X9.63 for key agreement and key transport. • IETF – The OAKLEY Key Determination Protocol RFC 2412 includes elliptic curve groups over the field F2m. RFC 2412 provides group identifier, GRP, only for elliptic curve groups over F2155, and F2185. • FIPS 186.2 – The Digital Signature Standard (DSS) 4 Elliptic Curve Cryptography Elliptic Curves • Examples of plane curves are: Lines (2x + y = a) Conic sections (3x2 + 5y2 = a) Cubic curves (y2 + xy = x3 + ax2 + b), which include elliptic curves. • Elliptic Curve Cryptography uses plane curves, which are sets of points satisfying the equation F (x, y) = 0. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 5 M. Mogollon – 01/08 - 5 • An elliptic curve E, is the set of solutions {x; y} of an equation y2 = f (x), where f (x) = x3 + . . . is a polynomial of degree three. E is defined over the rational numbers q; that is, the coefficients of f are in q. Elliptic curves are not ellipses. • Elliptic curve cryptography uses plane curves, which are sets of points satisfying the equation F (x, y) = 0. Examples of plane curves are lines (2x + y = a), conic sections (3x2 + 5y2 = a), and cubic curves (y2 + xy = x3 + ax2 + b), which include elliptic curves. 5 Elliptic Curve Cryptography Finite Fields • Finite fields are fields that are finite. • A field is a set F in which the usual mathematical operations (addition, subtraction, multiplication, and division by nonzero quantities) are possible; these operations follow the usual commutative, associative, and distributive laws. • Rational numbers (fractions), real numbers, and complex numbers are elements of infinite fields. • A discrete logarithm (DL) and elliptic curve (EC) cryptography schemes are always based on computations in a finite field in which there are only a finite number of quantities. • For cryptography applications, the finite fields that are usually used are the field of characteristic (congruences). • The finite field used in DL and EC are the field of prime characteristic Fp and the field of characteristic two F2m. The finite field is also denoted as GF(q). Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 6 M. Mogollon – 01/08 - 6 • A field is a set F in which the usual mathematical operations (addition, subtraction, multiplication, and division by nonzero quantities) are possible; these operations follow the usual commutative, associative, and distributive laws. Rational numbers (fractions), real numbers, complex numbers, and the integer modulo n are elements of infinite fields. The mathematical operations in a field are multiplication and addition, meaning that for them, the additive inverse is subtraction and the multiplicative inverse is division. • Finite fields are fields that are finite. Fq denotes a field that has a finite number q of elements. • Discrete Logarithm Cryptography (DLC), which includes Finite Field Cryptography (FFC) and Elliptic Curve Cryptography (ECC), requires that the public- and private-key pairs be generated within a finite field. For cryptography applications, the finite fields that are usually used in ECC and in FFC are the fields of characteristic Fp and the fields of characteristic two F2m. The finite field is also denoted as GF(q). 6 Elliptic Curve Cryptography Finite Fields • Characteristic Prime Finite Fields The finite field Fp is the prime finite field containing p elements. If p is an odd prime number, then there is a unique field Fp that consists of the set of integers {0, 1, 2 ,..., p – 1}. • Characteristic Two Finite Fields A characteristic two finite field (also known as a binary finite field) is a finite field whose number of elements is 2m. If m is a positive integer greater than 1, the binary finite field F2m consists of the 2m possible bit strings of length m. For example, F23 = {000, 001, 010, 011, 100, 101, 110, 111} Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 7 M. Mogollon – 01/08 - 7 • Characteristic Prime Finite Fields • The finite field Fp is the prime finite field containing p elements. If p is an odd prime number, then there is a unique field Fp that consists of the set of integers {0, 1, 2, ..., p – 1} with the following arithmetic operations: • Addition: If , a , b ∈ F p then a + b ≡ r mod p • Multiplication: If , a, b ∈ F p then a * b ≡ r mod p • Inversion: If a is a non-zero element in Fp, the inverse of a modulo p, denoted as a-1, is the unique integer c ∈ F p for which . a * c ≡ 1 mod p • Characteristic Two Finite Fields • A characteristic two finite field (also known as a binary finite field) is a finite field whose number of elements is 2m. If m is a positive integer greater than 1, the binary finite field F2m consists of the 2m possible bit strings of length m. • Thus, for example, F23 = {000, 001, 010, 011, 100, 101, 110, 111}. The integer m is the degree of the field. • A way to represent the elements of F2 m is by the set of binary polynomials of degree m: {am −1 x m −1 + am − 2 x m − 2 + .......... + a1 x + a0 : ai ∈ {0,1}} • The following operations are defined in the elements of : F2 m • Addition: . This is equivalent to bitwise exclusive OR (XOR). • Multiplication: Multiplication is done using polynomials. For example, if f(x) = x4 + x + 1, a = x3 + x2 + 1, and b = x3 + 1, then, r = a * b = (x3 + x2 + 1) * ( x3 + 1 ) = x6 + x5 + x2 + 1 mod (x4 + x +1) = x3 + x2 + x + 1 • Inversion: If a is a non-zero bit stream element in F m , the inverse of a, denoted as a-1, is the unique 2 integer c ∈ F m for which a * c ≡ 1 . 2 7 Elliptic Curve Cryptography Group Fields in EC • There are two essential properties of group fields when they are used in elliptic curve cryptography: A group should have a finite number of points. An elliptic curve has infinite number of points, but an elliptic curve over Fq has a finite number of elements. The operation that is used should be easy to compute but very difficult and time consuming to reverse. • The scalar integer multiplication of an elliptic curve point, P, which is defined as the repeated addition of the point with itself, Q = kP, is an operation that is easy to compute but very difficult and time consuming to reverse. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 8 M. Mogollon – 01/08 - 8 8 Elliptic Curve Cryptography Elliptic Curve Equations • There are several ways of defining equations for elliptic curves, but the most common are the Weierstrass equations. • ECC may be implemented over Fq, where q is an odd prime p, or 2m. • If ECC is implemented over Fp, the following equation is used: y 2 = x 3 + ax + b • If ECC is implemented over F2m, the following equation is used: Elliptic Curve y 2 + xy = x 3 + ax 2 + b EC Arithmetic EC Points EC Public Key EC Cryptography 9 M. Mogollon – 01/08 - 9 • There are several ways of defining equations for elliptic curves, but the most commonly used are the Weierstrass equations. The following elliptic curves over the field of rational numbers are nonsingular cubic curves in Weierstrass form with rational coefficients: y 2 + xy = x 3 + ax 2 + b and y 2 = x 3 + ax + b • In cryptography, the elliptic curves of interest are those defined over finite fields. That is, the coefficients of the defining equation F (x, y) = 0 are elements of Fq, and the points on the curve are of the form P = (x, y), where x and y are elements of Fq . • An elliptic curve E defined over Fq is a set of points P = (xP, yP), where xP and yP are elements of Fq that satisfy a certain equation, together with the point at infinity denoted by O. • Elliptic curves are specified by two field elements, a ∈ Fq and, b ∈ Fq called the coefficients of E. • The field elements xP and yP are called the x-coordinate of P and the y-coordinate of P, respectively. • Fq could be of the form Fp, which is the finite field containing q = p elements, where p is a prime and m is a positive integer, or F2m which is the finite field containing q = 2m elements. 9 Elliptic Curve Cryptography Elliptic Curve Arithmetic Point Addition in Fp • The group law is defined by P + Q – R = 0; therefore, P + Q = R, where the negative of the point R(x, y) is the point R (x, –y). • Given two points on the curve P and Q, the line through them meets the curve at a third point R. The reflection of R gives the point R, which is equal to P + Q. • The tangent line through P gives the point – R. E: y2 = x3 - 9x + 6 E: y2 = x3 - 9x + 6 -R P (0.0, 2.45) Q (-3.24, -1.17) -R (4.49, 7.47) R (4.49, -7.49) P + Q = R = (4.49, -7.49) P P (0.0, 2.45) -R (3.38, -3.76) R (3.38, 3.76) 2P = R = (3.38, 3.76) R P Q -R R Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 10 M. Mogollon – 01/08 - 10 10 Elliptic Curve Cryptography Elliptic Curve Arithmetic • Doubling a Point in Fp Provided that y P ≠ 0 then, where P ( x P , yP ) + P ( x P , yP ) = R ( x R , yR ) x R ≡ λ 2 − 2 x P mod p y R ≡ λ ( x P − x R ) − y P mod p and λ≡ 2 (3 x P + a ) mod p (2 y P ) λ is the slope of the line through P(xP , yP). Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 11 M. Mogollon – 01/08 - 11 • The addition of two points is similar to the addition of two points in plane geometry. 11 Elliptic Curve Cryptography Elliptic Curves Arithmetic • Point Addition in Fp Similar to the addition of two points in plane geometry. For then, P ( x P , yP ) + Q ( xQ , yQ ) = R ( x R , yR ) where P ≠ ±Q x R ≡ λ 2 − x P − x Q mod p y R ≡ λ ( x P − x R ) − y P mod p and λ≡ ( yQ − y P ) ( xQ − x P ) mod p λ is the slope of the line through P(xP , yP) and Q(xQ , yQ ). Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 12 M. Mogollon – 01/08 - 12 12 Elliptic Curve Cryptography Elliptic Curve Arithmetic Point Addition in Fp • Adding P to -P. E: y2 = x3 - 9x + 6 P (-1.85, 4.05) -P (-1.85, -4.05) P + (-P) = O, the point at infinity P -P Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 13 M. Mogollon – 01/08 - 13 13 Elliptic Curve Cryptography EC Points Points in the Elliptic Curve y^2 = x^3 + x + 1 (mod 23) 24 22 20 18 16 14 12 10 8 6 4 2 0 0 2 4 6 8 10 12 14 16 18 20 • The points are symmetric because in elliptic curves, for every point P, there must exist another point –P. • The point P(0, 1) generates a maximal subgroup because it generates the maximum number of points, 28 (27 plus the point at infinity). • The curve order is 28 and is denoted as #E(Fp). Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 14 M. Mogollon – 01/08 - 14 • It is possible to add a point to itself, but there will be a time when adding the point to itself results in O = kP, the point at infinity. 14 Elliptic Curve Cryptography Point and Curve Order • For any point in y2 = x3 + x + 1 (mod 23), the value of k such that kP = O is not always the same. The order of points varies; it can be 28, 14, 7 or 4. See next slide • The maximum point order is the curve order. Point Order Point Order Point Order Point Order (0,1) 28 (9,16) 28 (7,11) 14 (13,16) 7 (0,22) 28 (18,3) 28 (7,12) 14 (17,3) 7 (1,7) 28 (18,20) 28 (12,4) 14 (17,20) 7 (1,16) 28 (19,5) 28 (12,19) 14 (11,3) 4 (3,10) 28 (19,18) 28 (5,4) 7 (11,20) 4 (3,13) 28 (6,4) 14 (5,19) 7 (4,0) 1 (infinity) (9,7) 28 (6,19) 14 (13,7) 7 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 15 M. Mogollon – 01/08 - 15 • The repeated addition of a point to itself, scalar multiplication, generates a new point, Q = kP; however, there is always a time when adding the point to itself results in O = kP, the point at infinity. The order of a point P is the smallest positive number k such that kP = O. • When the point P(0, 1) in E F(23): y2 = x3 + x + 1 is added to itself, the order of the point P(0,1) is 28, which is the smallest positive number k such that kP = O. The generated points are 27, plus the point at infinity for a total of 28. • If the order of a point is the maximum, in this case 28, then it is called the curve order and is denoted as #E(Fq). The order of any point is always a factor of the curve order, #E(Fp ). In this example, the point orders 14, 7, and 4 are factors of 28. Hasse’s Theorem, states that the number of points in E(Fq), is in the range p + 1 − 2 p ≤ # E ( Fq ) ≤ p + 1 + 2 p • According to Koblitz, René Schoof developed an algorithm to calculate the number of points in E(Fq); this algorithm has been improved by V. Miller, N. Elkies, J. Buchmann, V. Muller, A. Meneses, L. Charlap, R. Coley and D. Robbins. • The table above shows the order of a point for each possible starting point in the equation E F(23): y2 = x3 + x + 1. This is similar to shift registers, not all starting positions will produce a maximum length. • In cryptography, when selecting an elliptic curve starting point, you want to select a point that when add it to itself it will generates the maximum number of points before reaching the point at infinite. 15 Elliptic Curve Cryptography Point Order Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 16 M. Mogollon – 01/08 - 16 • In the example above, the point P(7,11) only generates 14 points instead of the maximum 28 points. 16 Elliptic Curve Cryptography Selecting an EC for Cryptography • There are several procedures to select an elliptic curve for cryptographic purposes. The following are some of the criteria: Select a large prime number, p, to be used as the module. Select the coefficients a and b randomly and define E Fp: y2 = x3 + ax + b. Calculate the curve order #E(Fq). Check that #E(Fq) is divisible by a large prime number. Check that the largest prime divisor of #E(Fq) does not divide qk - 1 for k = 1, 2, 3, ……<large limit>. • Another way to select the elliptic curve is by selecting the curve order first: Select a large prime number, p, to be used as the module. Select the curve order, #E(Fp), such that p + 1 − 2 p ≤ # E ( Fq ) ≤ p + 1 + 2 p Check that #E(Fp) is divisible by a large prime number, r. Check that r does not divide pv-1 for v = 1, 2, 3, ……10. Use the Atkin-Morain algorithm to find parameters a and b in Fp such that the elliptic curve E has an order of #E(Fp). Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 17 M. Mogollon – 01/08 - 17 • When selecting an elliptic curve for cryptography, you have to select first the type of curve. Either Fp or F2m • For Fp, use the Weierstrass equation 2 3 y = x + ax + b • For F2m , use the Weierstrass equation y 2 + xy = x 3 + ax 2 + b • Organizations go through the process mentioned above and come out with recommended elliptic curves suitable for cryptography. • NIST (Federal Information Processing Standards (FIPS), 2000) recommends a certain set of elliptic curves for government use. This set of curves can be divided into two classes: curves over a prime field Fp and curves over a binary field F2m . The curves over Fp are of the form y2 = x3 – 3x + b with b random, while the curves over F2m are either of the form y2 + xy = x3 + x2 + b with b random or Koblitz curves. A Koblitz curve has the form y2 + xy = x3 + ax2 + 1 with a = 0 or 1. 17 Elliptic Curve Cryptography Selecting a Generator Point • Select a random point G on E(Fp) and a large prime number n that divides #E(Fp). • Check that the nG = O, n being the point order. The size of the odd prime modulus in bits is 15 Curve generated using Cryptomathic on line generator at http://www.cryptomathic.com/Default.aspx?ID= 477 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 18 M. Mogollon – 01/08 - 18 18 Elliptic Curve Cryptography Discrete Logarithmic Problem • In the multiplicative group Zp* discrete logarithm (Diffie-Hellman, ElGamal, DSS), the following is the discrete logarithm problem: Given elements y and x of the group, and a prime p, find a number k such that y = xk mod p. For example, if y = 2, x = 8, and p = 341, then find k such that 2 ≡ 8k mod 341. In the Diffie-Hellman discrete logarithm, y is the public key, g is a large random number, p is the modulo, and k is the private key that the cryptanalyst is trying to find out. Which one is the correct Private Key? Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 19 M. Mogollon – 01/08 - 19 • • • • There are two essential properties of group fields when they are used in elliptic curve cryptography: 1. A group should have a finite number of points. An elliptic curve has an infinite number of points, but an elliptic curve over Fq has a finite number of elements. 2. The operation that is used should be easy to compute but very difficult and time consuming to reverse. Public-key systems use large finite group properties. For Diffie-Hellman, ElGamal, DSS, and RSA, the security depends directly on the relative difficulty of performing two group operations: discrete logarithms and exponentiation. In the multiplicative group Zp* discrete logarithm (Diffie-Hellman, ElGamal, DSS), the following is the discrete logarithm problem: given elements y and x of the group, and a prime p, find a number k such that y = xk mod p. For example, if y = 2, x = 8, and p = 341, then find k such that 2 ≡ 8k mod 341. In the DiffieHellman discrete logarithm, y is the public key, g is a large random number, p is the modulo, and k is the private key that the cryptanalyst is trying to find out. If the modulo were not included, it would be easy to solve k by finding logx y, but when the modulo is included, the logarithm has a different but analogous meaning. This type of logarithm is called discrete to distinguish it from the classical logarithm. 19 Elliptic Curve Cryptography EC Discrete Logarithmic Problem • Given an elliptic curve a point P ∈ E ( Fp ) of an order n, and a point Q ∈ E ( Fp ), determine the integer k, 0≤ k ≥ n-1, such that Q = kP, provided that such integer k exists. E ( F p ), • Q is the public key and k is the private key. • The scalar integer multiplication of an elliptic curve point, P is defined as the process of adding P to itself k times. Q = kP is analogous to exponentiation in a discrete logarithm cryptosystem, i.e., it is an operation that is easy to compute but very difficult and time consuming to reverse. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 20 M. Mogollon – 01/08 - 20 20 Elliptic Curve Cryptography Elliptic Curve Public-Key Cryptography • The scalar integer multiplication of an elliptic curve point, P is defined as the process of adding P to itself k times. Q = k P. • When the point (0,1) is added to itself 13 times the result is the point (9, 16). • Q = k P = 13 * (0,1) = (9,16) • Select Q = Public Key = (9,16) k = Private Key = 13 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 21 M. Mogollon – 01/08 - 21 • Elliptic Scalar Multiplication • The elliptic scalar integer multiplication of an elliptic curve point, P, is defined as the process of adding P to itself k times. This operation is analogous to exponentiation in finite field cryptography. 21 Elliptic Curve Cryptography Brute Force Attack • There is not a known algorithm to attack ECC • Brute force attack Starting with point (0,1), add (0,1) to itself until (9,16) is found. Stop when Q = d P = (9, 16) The size of the odd prime modulus in bits is 5. The order of the base point is 28 It would take a system doing a million addition/sec, 14 microseconds to try 50% of all possible points. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 22 M. Mogollon – 01/08 - 22 • NASA’s Advanced Supercomputing (NAS) Division technical report, A Survey of Elliptic Curve Cryptosystems (Vo, 2003), states that there is no known successful attack of sub-exponential time for the ECDLP and lists several of the exhaustive search (brute force) attacks. The most efficient general algorithms to resolve the ECDLP are Pollard-ρ and Pollard-λ. Pollard-ρ takes π n / 2 steps; each step is an elliptic curve addition. According to Certicom SEC1, Pollard-λ takes 2 n steps; according to ANSI X.62, states that Pollard- λ takes 3.28 n . Pollard-ρ has been improved to require only steps π n / 4 . Both methods can be parallelized so that if r processors are used, then the expected number of steps is divided by r. In order to avoid an exhaustive search, n should be greater than 2160. • For a computer able to do 1 million point additions per second, Field size Size of n Years to π n/4 (in bits) (in bits) Additions Break 163 160 1.07 * 1024 3.39*1011 191 186 8.77 * 1027 2.78*1015 239 234 1.47 * 1035 4.66*1022 359 354 1.69 * 1053 5.36*1040 64 431 426 1.16 * 10 3.68*1051 22 Elliptic Curve Cryptography Brute Force Attack • There is not a known algorithm to attack ECC • Brute force attack Starting with point P, add P to itself until Q is found. Stop when kP = Q The size of the odd prime modulus in bits is 161. Equivalent to RSA 1024 The order of the base point is 1.73*1046 It would take a system doing a million addition/sec (3.15*1018 additions/year) 1032 years to try 50% of all possible points. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 23 M. Mogollon – 01/08 - 23 • Figure above shows the parameters of an elliptic curve with a 161-bit module generated at Cryptomathic’s Web site. The order of the curve n is equal to 1.73 * 1046, meaning that the base point (x, y) can be added to itself: k = 1.73 * 1046 before kP = O. If the Pollard-ρ algorithm is used, it is necessary to check = 1.16 * 1023 additions to break the encryption. For a computer able to do 1 million point additions per second, Field size Size of n π n/4 (in bits) (in bits) Additions 163 160 1.07 * 1024 191 186 8.77 * 1027 239 234 1.47 * 1035 359 354 1.69 * 1053 431 426 1.16 * 1064 Years to Break 3.39*1011 2.78*1015 4.66*1022 5.36*1040 3.68*1051 23 Elliptic Curve Cryptography Breaking the Code April 27, 2004 Certicom Corp. (TSX: CIC), the authority for strong, efficient cryptography, today announced that Chris Monico, an assistant professor at Texas Tech University, and his team of mathematicians have successfully solved the Certicom Elliptic Curve Cryptography (ECC) 109-bit Challenge. The effort required 2600 computers and took 17 months. For comparison purposes, the gross CPU time used would be roughly equivalent to that of an Athlon XP 3200+ working nonstop for about 1200 years. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 24 M. Mogollon – 01/08 - 24 • • In 1997, Certicom challenged the crypto community to break 1. Randomly generated curves over F p , where p is prime: ECCp-79, ECCp-89, ECCp-97, ECCp-109, ECCp-131, ECCp-163, ECCp-191, ECCp-239, and ECCp-359. 2. Randomly generated curves over F2 m , where m is prime: ECC2-79, ECC2-89, ECC2-97, ECC2-109, ECC2-131, ECC2-163, ECC2-191, ECC2-238, and ECC2- 353. 3. Koblitz curves over F2 m , where m is prime: ECC2K-95, ECC2-108, ECC2-130, ECC2163, ECC2-238, and ECC2-358. Certicom announced in 2004 that Chris Monico, an assistant professor at Texas Tech University, and his team of mathematicians successfully solved Certicom Elliptic Curve Cryptography (ECC)2 109-bit (field characteristic 2) challenge. The effort required 2600 computers and took 17 months. Professor Monico also successfully solve in 2002 Certicom ECCp-109 (prime field) challenge. 24 Elliptic Curve Cryptography Public Key Systems Key Size Comparisons Blake, Seroussi, and Smart (1999, p9) compared the two algorithms known to break ECC and discrete algorithms. Simplifying the formulas and making several approximations, they arrived at the following formula comparing key-length for similar levels of security: n = β N 1 / 3 (log ( N log 2)) 2 / 3 where β ≈ 4.91. The parameters n and N are the “key sizes” of ECC and DL cryptosystems. Minimum Size of Public keys (Bits) Security (Bits) Symmetric Encryption Algorithm Hash Algorithm SHA-1 80 SKIPJACK 112 3DES 128 AES-128 Diffie-Hellman and RSA Modulus Size ECC 1024 2048 SHA-256 1024 2048 160 224 3072 3072 256 192 Elliptic Curve AES-192 SHA-384 7680 7680 384 256 AES-256 SHA-512 15360 15360 512 EC Arithmetic EC Points EC Public Key EC Cryptography 25 M. Mogollon – 01/08 - 25 • ECC requires smaller key size in order to offer the same level of security as the RSA. • For this reason, it is generally accepted that it could be used in smaller devices such as cell phones and PDAs where processor speed is a premium. 25 Elliptic Curve Cryptography Elliptic Curve Cryptography Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 26 M. Mogollon – 01/08 - 26 26 Elliptic Curve Cryptography Domain Parameters • Parties using elliptic curve cryptography need to share certain parameter, the “Elliptic Curve Domain Parameters”. • The EC domain parameters may be public; the security of the system does not rely on these parameters being secret. • The domain consists of six parameters which are calculated differently for Fp and F2m . It precisely specify an elliptic curve and base point. • The six domain parameters are the following: T = (q; FR; a, b; G; n; h), in which, q Defines the underlying finite field Fq. The field size is defined by the module, so, q = p or q = 2m ; p>3 should be a prime number. FR Field representation of the method used for representing field elements in ∈ Fq , either E ( F p ) or E ( F2 m ) . a, b The coefficients defining the elliptic curve E, elements of Fq. G A distinguished point, G=(xG ,yG), on an elliptic curve called the base point or generating point defined by two field elements xG and yG in Fq. n The order of the base point G. h Called the cofactor, h = #E(Fq)/n, where n is the order of the base point G. h is normally a small number. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 27 M. Mogollon – 01/08 - 27 • When two parties are going to use elliptic curve cryptography, there are several parameters on which they should agree, either because they were selected by them or by a third party, such as NIST (Federal Information Processing Standards (FIPS), 2000) or by Certicom (Standards for Efficient Cryptography Group (SECG), 2000b). Those parameters are called the Elliptic Curve Domain Parameters. • The elliptic curve domain parameters determine the arithmetic operations involved in the publickey cryptographic schemes, Fp and F2m . The domain consists of six parameters which are calculated differently for Fp and F2m, and which precisely specify an elliptic curve and base point. • The domain parameters represent an elliptic curve E and a designated point G on E called the base point. The base point has order n, a large prime. The number of points on the curve is #E(Fq) = h . n for some integer h (the cofactor) not divisible by n. For efficiency reasons, it is desirable to make the cofactor as small as possible. 27 Elliptic Curve Cryptography ECC Cryptography • Encryption EC Integrated Encryption Scheme (ECIES) – Variant of ElGamal public-key encryption – Proposed by Bellare and Rogaway – Variant of ElGamal public-key encryption schme – ANSI X9.63, ISO/IEC 15946-3, and IEEE P1363a draft Provably Secure Encryption Curve (PSEC) – Fujisaki and Okamoto – Evaluated by NESSIE and CRYPTREC • Key Exchange Station-to-Station Protocol – Diffie, van Oorschot, and Wiener – Discrete logarithm-base key agreement – ANSI X9.63 ECMQV – Meneses, Qu, and Vanstone – ANSI X9.63, IEEE 1363-2000, and ISO/IEC 15946-3 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 28 M. Mogollon – 01/08 - 28 28 Elliptic Curve Cryptography ECC Cryptography • Digital Signature Elliptic Curve Digital Signature Algorithm (ECDSA) – Analog to the Digital Signature Algorithm (DSA) – Secure Hash Algorithm (SHS-1) – ANSI X9.62, FIPS 186-2, IEEE1363-2000 and ISO/IEC 15946-2 EC Korean Certificate-based Digital Signature Algorithm (EC-KCDSA) – Lim and Lee – ISO/IEC 15946-2. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 29 M. Mogollon – 01/08 - 29 29 Elliptic Curve Cryptography Key Generation • The public and private keys of an entity A are associated with a particular set of elliptic curve domain parameters (q; FR; a; b; G; n; h). To generate a key pair, entity Alice does the following: Selects a random or pseudo-random integer d in the interval [1, n - 1]. Computes Q = d * G. Has Q as public key, PubA, and d as private key, PrivA. Checks that xG and yG are elements of the elliptic curve equation by 2 3 2 3 calculating yQ ≡ xQ + axQ + b mod p or yQ + xQ yQ = xQ + axQ + b in F2 . m • Example: For E(F23): y2 = x3 + x + 1, #E(F23) =28. Then, n=7, since n should be a prime factor of 28. The cofactor h is equal to 28 / 7 = 4. A point with an order of 7 should be selected. The point G could be (5, 19), one of several points with n = 7. The domain parameter T = (p; a; b; G; n; h) is T = [23; 1; 1; (5,19); 7, 4 ]. Select d = 4, so Q = 4 (5, 19). (13, 16). Alice’s public key is PubA = Q = (13, 16) and her private key is PrivA = 4. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 30 M. Mogollon – 01/08 - 30 • Slide 15 shows all the points in the curve y2 = x3 + x + 1 (mod 23) with their point orders. Since n should be a prime factor of #E(F23), then a point with an order of 7 should be selected. The cofactor h is equal to 28 / 7 = 4. 30 Elliptic Curve Cryptography ECC ElGamal Encryption Alice Bob • Let T = (p; a; b; G; n; h) and Pub A ≡ Priv A ∗ G mod p be T and PubA do not need to be secret. Alice’s public key. • Bob selects a random number as his private key and generates his public key using the same elliptic curve and G point. • Bob enciphers the message, M, • Alice deciphers the message by Multiplying her private key PrivA by (PrivB . G). CM, PubB Subtracting the above result from M + PrivB . PubA. by doing CM = [{PrivB* G}, {M + PrivB*PubA }] • Bob sends his PubB and cipher message to Alice. CM = [{PrivB* G}, {M + PrivB*PubA }] M = {M + PrivB * PubA } – { PrivA * PrivB * G} Since PubA = PrivA * G, then, M = {M + PrivB * (PrivA . G)} – { PrivA * (PrivB * G)} = {M} Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 31 M. Mogollon – 01/08 - 31 31 Elliptic Curve Cryptography ECC ElGamal Encryption Alice • Let T = [p; a; b; G; n; h) T = [23; 1; 1; (5,19); 7; 4 ] and select 6 as the PrivA, Pub A ≡ 6 ∗ (5, 19) mod 23 Bob T and PubA do not need to be secret Multiplying her private key 6 by (17, 20) = (17, 3). Subtracting the above result from (1, 0) M = (1, 0) – (17, 3) M = (1, 0) + (17, -3) = (8, 20) • The message is the point (8,20). • Bob enciphers the message by Pub A ≡ (5, 4) mod 23 as the public key. • Alice deciphers the message by • Bob selects 5 as his private key. CM = [{PrivB* G}, {M + PrivB*PubA }] CM, PubB CM = [{5*(5, 19)}, {(8, 20) + 5* (5, 4)}] • Bob sends his PubB and cipher message CM = [(17, 20), (1,0)] to Alice. Note: 6 * (5,19) mod 23 is not (6*5, 6*19) mod 23, but the addition of point (5,19) six times to itself. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 32 M. Mogollon – 01/08 - 32 32 Elliptic Curve Cryptography Diffie-Hellman Key Exchange System Sender and receiver agree on the same domain parameters. T = (p; a; b; G; n; h), does not need to be secret. Alice T = (p; a; b; G; n; h) PrivB = Random large prime integer T = (p; a; b; G; n; h) PrivA = Random large prime integer Pub A ≡ Priv A ∗ G mod p Bob PubA PubB PubB ≡ Priv B ∗ G mod p ZZ ≡ Pub A ∗ Priv B ZZ ≡ PubB ∗ Priv A Alice and Bob convert the shared secret value z to an octet string Z and use Z as the shared secret key for symmetric encryption algorithms to secure their communications. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 33 M. Mogollon – 01/08 - 33 • In a key agreement scheme, each party combines his own private key with the other party’s public key to come up with a secret key, which will later be used in a symmetric cryptosystem. The IEEE P1363 (2007) calls this procedure DL/ECKAS-DH1, the Discrete Logarithm and Elliptic Curve Key Agreement Scheme, Diffie-Hellman, but it is also known as ECDH and ECDHE (Ephemeral). 33 Elliptic Curve Cryptography Diffie-Hellman Key Exchange System Bob Alice T = [23; 1; 1; (5,19); 7; 4 ] T = [23; 1; 1; (5,19); 7; 4 ] PubB ≡ 2 ∗ (5, 19 ) mod 23 ≡ (17, 23) mod 23 Pub A ≡ 6 ∗ (5, 19) mod 23 ≡ (5, 4) mod 23 Pub A ≡ Priv A ∗ G mod p PubA PubB PubB ≡ Priv B ∗ G mod p z ≡ PubB ∗ Priv A z ≡ Pub A ∗ Priv B z ≡ (17, 3) ∗ 6 mod 23 ≡ (17, 20) mod 23 z ≡ (5, 4) ∗ 2 mod 23 ≡ (17, 20) mod 23 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 34 M. Mogollon – 01/08 - 34 34 Elliptic Curve Cryptography ECCDSA Signature Generation Alice • T = (p; a; b; G; n; h) and Pub A ≡ Priv A ∗ G mod p Bob T and PubA do not need to be secret. is Alice’s public key. • Selects a random integer Verifies Alice’s signature (r, s) on the message m as follows: • Computes H(m) and k ∈ [2 , n − 2] c ≡ s −1 mod n • Computes k * G = ( x1 , y1 ) (r, s) r ≡ x1 mod n • Computes u1 ≡ H (m ) * c mod n u2 ≡ r * c mod n • Computes −1 k mod n • Computes • Computes ( x0 , yo ) = u1 * G + u2 * PubA s = k −1 {H ( m ) + Priv A * r} mod n v ≡ x0 mod n • The signature for the message m is the pair of integers (r, s). Elliptic Curve EC Arithmetic • Accepts the signature if v = r. EC Points EC Public Key EC Cryptography 35 M. Mogollon – 01/08 - 35 35 Elliptic Curve Cryptography ECCDSA Signature Generation Alice Bob • Let T = [23; 1; 1; (5,19); 7; 4 ] and Pub A ≡ 6 ∗ (5, 19) mod 23 ≡ (5, 4) mod 23 • Select k = 3 • Compute ( x1 , y1 ) = k . G = 3 . (5, 19 ) = (13, 7) r ≡ 13 mod 7 ≡ 6 mod 7 k −1 mod n mod 7 ≡ − 2 mod 7 ≡ 5 mod 7 • Compute 3 −1 • Compute s = k −1 {H ( m ) + Priv A . r} mod n s ≡ 5 (8 + 6 * 6) mod 7 ≡ 220 mod 7 ≡ 3 mod 7 • The signature for the message m is the pair of integers (r, s), (6, 3). Bob verifies Alice’s signature (6, 3) on the message m as follows: • Compute H(m) and c ≡ s −1 mod n c ≡ 3−1 mod 7 ≡ − 2 mod 7 ≡ 5 mod 7 u1 ≡ H ( m ) * c mod n • Compute u2 ≡ r * c mod n u1 ≡ 8 * 5 mod 7 ≡ 5 mod 7 u2 ≡ 6 * 5 mod 7 ≡ 2 mod 7 • Compute ( x0 , yo ) = u1 * G + u2 * PubA ( x0 , yo ) = 5 * (5, 19) + 2 * (5, 4) ( x0 , yo ) = (17, 20) + (17, 20) = (13, 7) • Compute v ≡ x0 mod n = 13 mod 7 ≡ 6 mod 7 • Accept the signature because v = 6 mod 7 = r . Elliptic Curve EC Arithmetic In this example, H(m) = 8 EC Points EC Public Key EC Cryptography 36 M. Mogollon – 01/08 - 36 36 Elliptic Curve Cryptography Cipher Suite • There are many algorithms that can be used for encryption, key exchange, message digest, and authentication; the level of security for each of these algorithms varies. Establishing a connection between two entities requires that they tell each other what crypto algorithms they understand. Normally one of the entities involved in the communication proposes a list of algorithms, and the other entity selects the algorithms supported by both. The selected algorithms may not have matching levels of security, reducing the overall security of the communication. • A cipher suite is a collection of cryptographic algorithms that matches the level of security of all the algorithms listed in the cipher suite. To enable secure communications between two entities, they exchange information about which cipher suites they have in common, and they then use the cipher suite that offers the highest level of security. Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 37 M. Mogollon – 01/08 - 37 • There are many algorithms that can be used for encryption, key exchange, message digest, and authentication; the level of security for each of these algorithms varies. Establishing a connection between two entities requires that they tell each other what crypto algorithms they understand. Normally one of the entities involved in the communication proposes a list of algorithms, and the other entity selects the algorithms supported by both. The selected algorithms may not have matching levels of security, reducing the overall security of the communication. • A cipher suite is a collection of cryptographic algorithms that matches the level of security of all the algorithms listed in the cipher suite. To enable secure communications between two entities, they exchange information about which cipher suites they have in common, and they then use the cipher suite that offers the highest level of security. • At the 2005 RSA conference, NSA introduced a common set of elliptic curve cryptographic algorithms for hashing, digital signatures, and key exchanges with the intention of protecting both classified and unclassified national security systems and information. NSA’s goal in introducing Suite B EC Cryptographic Algorithms was to provide a common set of elliptic curves to developers of commercial products to design products that would be used both in government and commercially. NSA proposed that Suite B Cryptography include specific algorithms for Encryption, Key Exchange, Hashing, HMAC, and Galois Counter Mode-Based. 37 Elliptic Curve Cryptography To Probe Further • Hankerson, D., Meneses, A., Vanstone S. (2004). Guide to Elliptic Curve Cryptography. New York: Springer-Verlag. • Blake, I., Seroussi G., Smart, N. (1999). Elliptic Curves in Cryptography. Cambridge, United Kingdom: Cambridge University Press. • • Rosing, M. (1999). Implementing Curve Cryptography. Greenwich, CT: Manning Publications. Lopez, J., Dahab, R., An overview of Elliptic Curve Cryptography, Institute of computting , State University of Campinas, sao Paulo Brazil, may 2, 2000. (Retrieved September 26, 2003 from http://citeseer.nj.nec.com/lop00overview.html) • Brown, M., Cheung, D., Hankerson, D., Lopez, J., Kirkup, M., Menezes, A., PGP in Constrained Wireless Devices, Proceedings of the 9th USENIX Security Symposium, August 2000. • Certicom Research, Standard for Efficient Cryptograph (SEC 1): Elliptic Curve Cryptograph, September 20, 2000. (Retrieved September 26, 2003 from http://www.secg.org/secg_docs.htm) • Certicom Research, Current Public-Key Crypto Systems, April 1997. (Retrieved on September 20, 2000 from ) • Cryptomathic, Ellipt Curve Online Key Generation at http://www.cryptomathic.com/labs/ellipticcurvedemo.html#Key-Generation • • Certicom Elliptic Curve Tutorial at http://www.certicom.com/index.php?action=ecc,ecc_tutorial IEEE P1363, Standard Specifications for Public key Cryptography, draft 2000 Elliptic Curve EC Arithmetic EC Points EC Public Key EC Cryptography 38 M. Mogollon – 01/08 - 38 38 ...
View Full Document

Ask a homework question - tutors are online