A gentle introduction to elliptic curve cryptography

Transcription

1 A gentle introduction to elliptic curve cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India

2 Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC

3

4 Diffie-Hellman key exchange (circa 1976) q = g = g a mod q = = g b mod q a = g ab mod q = b =

5 Diffie-Hellman key exchange (circa 2016) q = g a (mod q) = g = a = ; \ \ \ \ \ \ \ \ \ g ab = = g b (mod q) b = ; \ \ \ \ \ \ \ \ \ \

6 Diffie-Hellman key exchange (cont.) Individual secret keys secure under Discrete Log Problem (DLP): g, g x x Shared secret secure under Diffie-Hellman Problem (DHP): g, g a, g b g ab Fundamental operation in DH key exchange is group exponentiation: g, x g x Done via square-and-multiply, e.g., x 2 = 1,0,1,1,0,0,0,1 We are working mod q, but only with one operation: multiplication Actually, fundamental operation in all public-key cryptography (key exchange, signatures, encryption, etc) is group exponentiation Main reason for fields being so big: (sub-exponential) index calculus attacks!

7 DH key exchange (Koblitz-Miller style) If all we need is a group, why not use elliptic curve groups? Rationale: it is extremely unlikely that an index calculus attack on the elliptic curve method will ever be able to work [Miller, 85]

8 Real-world (e.g., Internet/TLS) cryptography in one slide (oversimplified) public-key/asymmetric crypto public-key/asymmetric crypto symmetrically encrypted traffic Client symmetrically encrypted traffic Server Public-key cryptography used to (1) establish a shared secret key (e.g., Diffie-Hellman key exchange) (2) authenticate one another (e.g., digital signatures) Symmetric key cryptography uses shared secret to encrypt/authenticate the subsequent traffic (e.g., block ciphers, AES/DES, stream ciphers, MACs) Hash functions used throughout (e.g., SHA s, Keccak)

9 Real-world (e.g., Internet/TLS) cryptography in one slide (oversimplified) public-key/asymmetric crypto public-key/asymmetric crypto symmetrically encrypted traffic Client symmetrically encrypted traffic Server Public-key cryptography used to (1) establish a shared secret key (e.g., Diffie-Hellman key exchange) ECC (2) authenticate one another (e.g., digital signatures) Symmetric key cryptography uses shared secret to encrypt/authenticate the subsequent traffic (e.g., block ciphers, AES/DES, stream ciphers, MACs) Hash functions used throughout (e.g., SHA s, Keccak)

10 Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC

11 Some good references Elliptic curves Elliptic curves ECC Silverman s talk: An Introduction to the Theory of Elliptic Curves Sutherland s MIT course on elliptic curves: Koblitz-Menezes: ECC: the serpentine course of a paradigm shift

12 group (G,+) can do + ring (R, +, ) can do + field (F, +, ) can do +

13 If you ve never seen an elliptic curve before... Remember: an elliptic curve is a group defined over a field elliptic curve group (E, ) can do underlying field (K, +, ) can do + operations in underlying field are used and combined to compute the elliptic curve operation

14 Boring curves f x, y = 0 or f X, Y, Z = 0 Degree 1 (lines) ax + by = c ab 0 Degree 2 (conic sections) ax 2 + bxy + cy 2 + dx + ey + f = 0 e.g., ellipses, hyperbolas, parabolas abc 0 Genus measures geometric complexity, and both are genus 0 We know how to describe all solutions to these, e.g., over Q Not cryptographically interesting

15 Elliptic curves Degree 3 is where all the fun begins ax 3 + bx 2 y + cxy 2 + dy 3 + ex 2 + fxy + gy 2 + hx + iy + j = 0 E/K: ch K 2,3 y 2 = x 3 + ax + b Elliptic curves genus 1 curves Set of points x, y K K satisfying above equation Geometrically/arithmetically/cryptographically interesting Fermat s last theorem/bsd conjecture/ E specified by K, a, b

16 Elliptic curves, pictorially E/R : y 2 = x 3 + x + 1 E/R : y 2 = x 3 x

17 Elliptic curves are groups So E is a set, but to be a group we need an operation The operation is between points x P, y P x Q, y Q = x R, y R Remember: a group (E, ) defined over a field (K, +, ) K will be fields we re used to, e.g., Q, C, R, F p Remember: the (boring) operations +,,, in K are used to compute the (exotic) operation on E

18 Elliptic curve group law is easy Fun fact: homomorphism between Jacobian of elliptic curve and elliptic curve itself. Upshot: you don t have to know any algebraic geometry (e.g., what a Jacobian is) to understand/do elliptic curve cryptography

19 The elliptic curve group law We need x P, y P x Q, y Q = x R, y R Question: Given two points lying on a cubic curve, how can we use their coordinates to give a third point lying on the curve?

20 The elliptic curve group law We need x P, y P x Q, y Q = x R, y R Question: Given two points lying on a cubic curve, how can we use their coordinates to give a third point lying on the curve? Answer: A line that intersects a cubic twice must intersect it again, so we draw a line through the points x P, y P and x Q, y Q

21 The elliptic curve group law

22 The elliptic curve group law y = λx + ν y 2 = x 3 + ax + b x 3 λx + ν 2 + ax + b = 0 x 3 λ 2 x 2 + a 2λν x + b ν 2 = x x P x x Q (x x R ) x R = λ 2 x 1 x 2 y R = (λx R + ν) λ = y 2 y 1 x 2 x 1 λ = dy dx = 3x2 + a 2y

23 A toy example E/R : y 2 = x 3 2x What about E/Q : y 2 = x 3 2?

24 The (abelian) group axioms Closure: the third point of intersection must be in the field Identity: E a,b K = { x, y y 2 = x 3 + ax + b} { } Inverse: x, y = (x, y) Associative: proof by picture Commutative: line through P and Q same as line through Q and P

25 A toy example, cont. E/F 11 : y 2 = x 3 2x 7,5 8,10 = (10,1)

26 Scalar multiplications via double-and-add P Q How to (naively) compute k, Q k Q? k = k n, k n 1,, k 0 2 for i from n 1 downto 0 do P 2 P DBL if k i = 1 then end if P P Q ADD end for return P (= k Q)

27 Scalar multiplications via double-and-add How to compute k, Q k Q on y 2 = x 3 + ax + b? (x P, y P ) Q for i from n 1 downto 0 do if k i = 1 then end for return k = (k n, k n 1,, k 0 ) λ (3x 2 P + a)/(2y P ) ; ν y P λx P ; x P λ 2 2x P ; y P (λx P + v); λ (y P y Q )/(x P x Q ) ; ν y P λx P ; x P λ 2 x P x Q ; y P (λx P + v) x P, y P = k (x Q, y Q )

28 Projective space Recall we defined the group of K-rational points as E a,b K = { x, y : y 2 = x 3 + ax + b} { } The natural habitat for elliptic curve groups is in P 2 (K), not A 2 K For (easiest) example, rather than x, y A 2, take X: Y: Z P 2 modulo the equivalence X: Y: Z (λ X λy λz) for λ K Replace x with X/Z and y with Y/Z, so E a,b K is the set of solutions X: Y: Z P 2 K to E Y 2 Z = X 3 + axz 2 + bz 3 So the affine points x, y from before become x y 1 (λx λy λ) and the point at infinity is the unique point with Z = 0, i.e., (0 λ 0)

29 Projective space, cont. One practical benefit of working over P 2 is that the explicit formulas for computing become much faster, by avoiding field inversions Thus, the fundamental ECC operation k, P k P becomes much faster x, y = [2](x, y) X Y Z = [2](X Y Z) λ (3x 2 + a)/(2y) ; x λ 2 2x; y (λ(x x) + y); 1S + 2M + 1I X = 2XY( 3X 2 + az 2 2 8Y 2 XZ) Y = 3X 2 + az 2 12Y 2 XZ 3X 2 + az 2 2 8Y 4 Z 2 Z = 8Y 3 Z 3 5M + 6S

30 Projective scalar multiplications How to compute k, Q k Q on y 2 = x 3 + ax + b? k = (k n, k n 1,, k 0 ) (X P : Y P : Z P ) Q for i from n 1 downto 0 do X P : Y P : Z P [2] X P : Y P : Z P 5M + 6S if k i = 1 then end for X P : Y P : Z P X P : Y P : Z P (X Q : Y Q : Z Q ) 9M + 2S return x P, y P (X P /Z P,Y P /Z P ) 1I + 2M

31 Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC

32 Diffie-Hellman key exchange (circa 2016) q = g a (mod q) = g = a = ; \ \ \ \ \ \ \ \ \ g ab = = g b (mod q) b = ; \ \ \ \ \ \ \ \ \ \

33 NIST Curve P-256

34 ECDH key exchange (1999 nowish) p = p = E/F p : y 2 = x 3 3x + b #E = P = ( , ) [a]p = ( , ) [b]p = ( , ) a = [ab]p = ( , ) b =

35 ECDH key exchange (1999 nowish) p = p = E/F p : y 2 = x 3 3x + b #E = P = ( , ) [a]p = ( , ) [b]p = ( , ) a = [ab]p = ( , ) Question 1: how to compute #E? Question 2: why p #E 2 256? b =

36 #E and Schoof s algorithm Given E/F p y 2 = x 3 + ax + b (i.e., given p, a, b), how do we compute #E(F p )? Hasse principle: #E F p = p + 1 t, where 2 p t 2 p, so #E is (relatively) close to p, but exponentially many possible t Schoof s algorithm (unlocks ECC): compute t mod l i for many small primes l i until ς i l i > 4 p, so t uniquely determined in Hasse interval

37 Handwaving Schoof s algorithm The key to Schoof s algorithm lies in computing t mod l For all x, y E(F p ), the trace t satisfies x p2, y p2 t x p, y p + p x, y = The l-division polynomial (more later), Φ l F p [a, b, x, y] vanishes precisely at the points that vanish under multiplication by l Schoof: work indeterminately in F p x, y / Φ l, E, and replace p with p mod l to recover t mod l

38 Finding secure curves for ECC Given p, a, b, Schoof computes #E a,b (F p ) in O(log p 8 ) steps General philosophy: find a prime of the appropriate bitlength, and iterate through a and b until #E a,b (F p ) is (almost) prime. E.g., NIST: fixed p special, a = 3, iterated b as hash output until #E prime. Brainpool: p, a, b all output of iterated hash functions, until #E prime. Once (almost) prime order curve chosen, double-check other (exponentially unlikely) properties, e.g., low MOV degree, #E p, etc. What do we mean by appropriate bitlength?

39 ECDLP security and Pollard s rho algorithm The best known ECDLP algorithm on (well-chosen) elliptic curves remains generic, i.e., elliptic curves are as strong as is possible! ECDLP: given P, Q E(F p ) of prime order N, find k such that Q = k P Pollard 78: compute pseudo-random R i = a i P + b i Q until we find a collision R i = R j with b i b j, then k = (a j a i )/(b i b j ) Birthday paradox says we can expect collision after computing group elements R i, i.e., after N group operations. πn 2

40 Summary so far Elliptic curves are the only useful groups we know that are as secure as a black-box group. Upshot: use them for public-key cryptography! Old school method to setup ECC (e.g., ECDH): * choose a prime p twice the length of your target security * find a and b such that #E a,b (F p ) is prime (and check stuff) * publish E a,b /F p and a prime order generator P Old school method to compute k, P k P, etc. * work in projective space, e.g., x, y = X, Y or x, y = X, Y Z Z Z 2 * compute k P via a sequence of doublings and additions Z 3

41 Questions so far?

42 Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC

43 What s wrong with old school ECC? Side-channel attacks: starting with Kocher 99, side-channel attacks and their countermeasures have become extremely sophisticated (cf. Lejla s tutorials from yesterday and a bunch of talks here!) Decades of new research: we now know much better/faster/simpler/safer ways to do ECC Suspicion surrounding previous standards: Snowden leaks, dual EC-DRBG backdoor, etc., lead to conjectured weaknesses in the NIST curves

44 NSA Curve P-256??? Mike Scott (1999) "So, sigh, why didn't they do it that way? Do they want to be distrusted?" Bruce Schneier (2013) I no longer trust the constants. I believe the NSA has manipulated them

45 Next generation elliptic curves 2014: CFRG receives formal request from TLS working group for recommendations for new elliptic curves 2015: NIST holds workshop on ECC standards 2015: CFRG announces two chosen curves, both specified in Montgomery (1987) form E/F p y 2 = x 3 + Ax 2 + x Bernstein s Curve25519 [2006]: p = and A = Hamburg s Goldilocks [2015]: p = and A = Both primes offer fast software implementations! Their group orders are divisible by 8 and 4, but this form offers several advantages.

46 Montgomery s fast differential arithmetic Extremely fast pseudo-doubling: xdbl X 2 P = X P + Z 2 P X P Z 2 P E/F p y 2 = x 3 + Ax 2 + x drop the y-coordinate, and work with x-only. projectively, work with X Z P 1 instead of X Y Z P 2 But (pseudo-)addition of x(p) and x(q) requires x(q P) Z 2 P = 4X P Z P ( X P Z P 2 + A + 2 X P Z P ) Extremely fast pseudo-addition: xadd 2 X P+Q = Z P Q X P Z P X Q + Z Q + X P + Z P X Q Z Q 2M + 2S Z P+Q = X P Q X P Z P X Q + Z Q X P + Z P X Q Z Q 2 4M + 2S

47 Differential additions and the Montgomery ladder Given only the x-coordinates of two points, the x-coordinate of their sum can be two possibilities Inputting the x-coordinate of the difference resolves ambiguity The (ingenious!) Montgomery ladder fixes all differences as the input point: in k, x(p) x( k P), every xadd is of the form xadd x( n + 1 P), x( n P), x(p) We carry two multiples of P up the ladder : x(q) and x Q P At i th step: compute x 2 Q P = xadd(x Q P, x Q, x P ) At i th step: pseudo-double (xdbl) one of them depending on k i

48 Fast, compact, simple, safer Diffie-Hellman Write k = σ l 1 i=0 k i 2 i with k l 1 = 1 and P = (x P, y P ) in E[n] (e.g., on Curve25519 or Goldilocks) (x 0, x 1 ) (xdbl x P, x P ) for i = l 2 downto 0 do (x 0, x 1 ) cswap k i+1 k i, x 0, x 1 (x 0, x 1 ) (xdbl x 0, xadd x 0, x 1, x P ) end for (x 0, x 1 ) cswap k 0, x 0, x 1 return x 0 (= x k P ) Inherently uniform, much easier to implement in constant-time x-only Diffie-Hellman (Miller 85): x ab P = x a b P = x( b a P ) see (Elliptic curves for security)

49 Curve25519 and Goldilocks in the real world See Elliptic curves for security Both curves integrated into TLS ciphersuites (Elliptic curves for security) In 2014, OpenSSH defaults to Curve25519 Curve25519 is used in Signal Protocol (Facebook Messenger, Google Allo, WhatsApp), ios, GnuPG, etc (

50 ECC is the best of both worlds attacker s toolbox vs. our toolbox

51 Elliptic curves: the best of both worlds attacker: generic vs. us: not generic

52 One curve to rule them all Group order is N, where N is a 246-bit prime! Fastest formulas [HCWD08] complete x 1, y 1 + x 2, y 2 = x 1y 1 + x 2 y 2 y 1 y 2 x 1 x 2, x 1y 1 x 2 y 2 x 1 y 2 y 1 x 2 Degree-2 -curve, meaning degree 2p endomorphism ψ CM by ring of integers in, meaning degree 5 endomorphism φ

53 What s an endomorphism? An endomorphism is a homomorphism from the curve to itself φ E E For our (crypto) purposes, an efficiently computable endomorphism is like a cheap teleport/shortcut to a fixed scalar multiple φ P = λ P Easy example on the Bitcoin curve E/F p : y 2 = x with p 1 mod 3, since there exists ξ F p where ξ 3 = 1 and ξ 1 For any P = x, y E, φ P = ξx, y = λ P, where λ =

54 How to use endomorphisms Recall our task: given integer k and point P, compute k P For any P, we can now quickly get the three points φ P, ψ P and ψ φ P, where φ P = λ φ P, ψ P = λ ψ P, and ψ φ P = λ φ λ ψ P k a 1, a 2, a 3, a 4 k P = a 1 P + a 2 φ P + a 3 ψ P + a 4 ψ(φ(p)) k a 1 + a 2 λ φ + a 3 λ ψ + a 4 λ φ λ ψ mod N

55 The multiscalar multiplication Computed φ(p), ψ(p), ψ(φ P ), and k a 1, a 2, a 3, a 4, now what? a 1 = a 2 = a 3 = a 4 = k = a 1 = a 2 = a 3 = a 4 = , 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 P φ(p) ψ(p) φ ψ P Instead of multiplying by a 246-bit scalar, do a 4-way multi-scalar exponentiation by 64-bit scalars 64-doublings, 64-additions, uniform dbl-and-always-add algorithm

56 versus Curve25519 and Curve p-256 Platform C-Longa 15 Curve25519 Bernstein 06 [Cho14, ebacs][ NIST p-256 NIST 99 [GK15] Atom Pineview 442 1,109 - Intel Sandy Intel Haswell AMD Kaveri Speed (in thousands of cycles) of k, P k P on some 64-bit platforms. Platform C-Longa 15 [Lon16] Curve25519 Bernstein 06 [BS12,eBACS][ Cortex-A Cortex-A Cortex-A Cortex-A Speed (in thousands of cycles) of k, P k P on some 32-bit platforms.

57 continued Internet draft Curve4Q (by Barnes, Ladd, Longa) Fast SchorrQ signatures (based on EdDSA signature scheme) SchnorrQ.pdf Library protected against simple timing attacks, cache attacks, exception attacks, invalid curve and small subgroup attacks Version 3.0 coming soon

58 Questions?