A gentle introduction to elliptic curve cryptography
|
|
- Gary Butler
- 5 years ago
- Views:
Transcription
1 A gentle introduction to elliptic curve cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India
2 Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC
3
4 Diffie-Hellman key exchange (circa 1976) q = g = g a mod q = = g b mod q a = g ab mod q = b =
5 Diffie-Hellman key exchange (circa 2016) q = g a (mod q) = g = a = ; \ \ \ \ \ \ \ \ \ g ab = = g b (mod q) b = ; \ \ \ \ \ \ \ \ \ \
6 Diffie-Hellman key exchange (cont.) Individual secret keys secure under Discrete Log Problem (DLP): g, g x x Shared secret secure under Diffie-Hellman Problem (DHP): g, g a, g b g ab Fundamental operation in DH key exchange is group exponentiation: g, x g x Done via square-and-multiply, e.g., x 2 = 1,0,1,1,0,0,0,1 We are working mod q, but only with one operation: multiplication Actually, fundamental operation in all public-key cryptography (key exchange, signatures, encryption, etc) is group exponentiation Main reason for fields being so big: (sub-exponential) index calculus attacks!
7 DH key exchange (Koblitz-Miller style) If all we need is a group, why not use elliptic curve groups? Rationale: it is extremely unlikely that an index calculus attack on the elliptic curve method will ever be able to work [Miller, 85]
8 Real-world (e.g., Internet/TLS) cryptography in one slide (oversimplified) public-key/asymmetric crypto public-key/asymmetric crypto symmetrically encrypted traffic Client symmetrically encrypted traffic Server Public-key cryptography used to (1) establish a shared secret key (e.g., Diffie-Hellman key exchange) (2) authenticate one another (e.g., digital signatures) Symmetric key cryptography uses shared secret to encrypt/authenticate the subsequent traffic (e.g., block ciphers, AES/DES, stream ciphers, MACs) Hash functions used throughout (e.g., SHA s, Keccak)
9 Real-world (e.g., Internet/TLS) cryptography in one slide (oversimplified) public-key/asymmetric crypto public-key/asymmetric crypto symmetrically encrypted traffic Client symmetrically encrypted traffic Server Public-key cryptography used to (1) establish a shared secret key (e.g., Diffie-Hellman key exchange) ECC (2) authenticate one another (e.g., digital signatures) Symmetric key cryptography uses shared secret to encrypt/authenticate the subsequent traffic (e.g., block ciphers, AES/DES, stream ciphers, MACs) Hash functions used throughout (e.g., SHA s, Keccak)
10 Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC
11 Some good references Elliptic curves Elliptic curves ECC Silverman s talk: An Introduction to the Theory of Elliptic Curves Sutherland s MIT course on elliptic curves: Koblitz-Menezes: ECC: the serpentine course of a paradigm shift
12 group (G,+) can do + ring (R, +, ) can do + field (F, +, ) can do +
13 If you ve never seen an elliptic curve before... Remember: an elliptic curve is a group defined over a field elliptic curve group (E, ) can do underlying field (K, +, ) can do + operations in underlying field are used and combined to compute the elliptic curve operation
14 Boring curves f x, y = 0 or f X, Y, Z = 0 Degree 1 (lines) ax + by = c ab 0 Degree 2 (conic sections) ax 2 + bxy + cy 2 + dx + ey + f = 0 e.g., ellipses, hyperbolas, parabolas abc 0 Genus measures geometric complexity, and both are genus 0 We know how to describe all solutions to these, e.g., over Q Not cryptographically interesting
15 Elliptic curves Degree 3 is where all the fun begins ax 3 + bx 2 y + cxy 2 + dy 3 + ex 2 + fxy + gy 2 + hx + iy + j = 0 E/K: ch K 2,3 y 2 = x 3 + ax + b Elliptic curves genus 1 curves Set of points x, y K K satisfying above equation Geometrically/arithmetically/cryptographically interesting Fermat s last theorem/bsd conjecture/ E specified by K, a, b
16 Elliptic curves, pictorially E/R : y 2 = x 3 + x + 1 E/R : y 2 = x 3 x
17 Elliptic curves are groups So E is a set, but to be a group we need an operation The operation is between points x P, y P x Q, y Q = x R, y R Remember: a group (E, ) defined over a field (K, +, ) K will be fields we re used to, e.g., Q, C, R, F p Remember: the (boring) operations +,,, in K are used to compute the (exotic) operation on E
18 Elliptic curve group law is easy Fun fact: homomorphism between Jacobian of elliptic curve and elliptic curve itself. Upshot: you don t have to know any algebraic geometry (e.g., what a Jacobian is) to understand/do elliptic curve cryptography
19 The elliptic curve group law We need x P, y P x Q, y Q = x R, y R Question: Given two points lying on a cubic curve, how can we use their coordinates to give a third point lying on the curve?
20 The elliptic curve group law We need x P, y P x Q, y Q = x R, y R Question: Given two points lying on a cubic curve, how can we use their coordinates to give a third point lying on the curve? Answer: A line that intersects a cubic twice must intersect it again, so we draw a line through the points x P, y P and x Q, y Q
21 The elliptic curve group law
22 The elliptic curve group law y = λx + ν y 2 = x 3 + ax + b x 3 λx + ν 2 + ax + b = 0 x 3 λ 2 x 2 + a 2λν x + b ν 2 = x x P x x Q (x x R ) x R = λ 2 x 1 x 2 y R = (λx R + ν) λ = y 2 y 1 x 2 x 1 λ = dy dx = 3x2 + a 2y
23 A toy example E/R : y 2 = x 3 2x What about E/Q : y 2 = x 3 2?
24 The (abelian) group axioms Closure: the third point of intersection must be in the field Identity: E a,b K = { x, y y 2 = x 3 + ax + b} { } Inverse: x, y = (x, y) Associative: proof by picture Commutative: line through P and Q same as line through Q and P
25 A toy example, cont. E/F 11 : y 2 = x 3 2x 7,5 8,10 = (10,1)
26 Scalar multiplications via double-and-add P Q How to (naively) compute k, Q k Q? k = k n, k n 1,, k 0 2 for i from n 1 downto 0 do P 2 P DBL if k i = 1 then end if P P Q ADD end for return P (= k Q)
27 Scalar multiplications via double-and-add How to compute k, Q k Q on y 2 = x 3 + ax + b? (x P, y P ) Q for i from n 1 downto 0 do if k i = 1 then end for return k = (k n, k n 1,, k 0 ) λ (3x 2 P + a)/(2y P ) ; ν y P λx P ; x P λ 2 2x P ; y P (λx P + v); λ (y P y Q )/(x P x Q ) ; ν y P λx P ; x P λ 2 x P x Q ; y P (λx P + v) x P, y P = k (x Q, y Q )
28 Projective space Recall we defined the group of K-rational points as E a,b K = { x, y : y 2 = x 3 + ax + b} { } The natural habitat for elliptic curve groups is in P 2 (K), not A 2 K For (easiest) example, rather than x, y A 2, take X: Y: Z P 2 modulo the equivalence X: Y: Z (λ X λy λz) for λ K Replace x with X/Z and y with Y/Z, so E a,b K is the set of solutions X: Y: Z P 2 K to E Y 2 Z = X 3 + axz 2 + bz 3 So the affine points x, y from before become x y 1 (λx λy λ) and the point at infinity is the unique point with Z = 0, i.e., (0 λ 0)
29 Projective space, cont. One practical benefit of working over P 2 is that the explicit formulas for computing become much faster, by avoiding field inversions Thus, the fundamental ECC operation k, P k P becomes much faster x, y = [2](x, y) X Y Z = [2](X Y Z) λ (3x 2 + a)/(2y) ; x λ 2 2x; y (λ(x x) + y); 1S + 2M + 1I X = 2XY( 3X 2 + az 2 2 8Y 2 XZ) Y = 3X 2 + az 2 12Y 2 XZ 3X 2 + az 2 2 8Y 4 Z 2 Z = 8Y 3 Z 3 5M + 6S
30 Projective scalar multiplications How to compute k, Q k Q on y 2 = x 3 + ax + b? k = (k n, k n 1,, k 0 ) (X P : Y P : Z P ) Q for i from n 1 downto 0 do X P : Y P : Z P [2] X P : Y P : Z P 5M + 6S if k i = 1 then end for X P : Y P : Z P X P : Y P : Z P (X Q : Y Q : Z Q ) 9M + 2S return x P, y P (X P /Z P,Y P /Z P ) 1I + 2M
31 Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC
32 Diffie-Hellman key exchange (circa 2016) q = g a (mod q) = g = a = ; \ \ \ \ \ \ \ \ \ g ab = = g b (mod q) b = ; \ \ \ \ \ \ \ \ \ \
33 NIST Curve P-256
34 ECDH key exchange (1999 nowish) p = p = E/F p : y 2 = x 3 3x + b #E = P = ( , ) [a]p = ( , ) [b]p = ( , ) a = [ab]p = ( , ) b =
35 ECDH key exchange (1999 nowish) p = p = E/F p : y 2 = x 3 3x + b #E = P = ( , ) [a]p = ( , ) [b]p = ( , ) a = [ab]p = ( , ) Question 1: how to compute #E? Question 2: why p #E 2 256? b =
36 #E and Schoof s algorithm Given E/F p y 2 = x 3 + ax + b (i.e., given p, a, b), how do we compute #E(F p )? Hasse principle: #E F p = p + 1 t, where 2 p t 2 p, so #E is (relatively) close to p, but exponentially many possible t Schoof s algorithm (unlocks ECC): compute t mod l i for many small primes l i until ς i l i > 4 p, so t uniquely determined in Hasse interval
37 Handwaving Schoof s algorithm The key to Schoof s algorithm lies in computing t mod l For all x, y E(F p ), the trace t satisfies x p2, y p2 t x p, y p + p x, y = The l-division polynomial (more later), Φ l F p [a, b, x, y] vanishes precisely at the points that vanish under multiplication by l Schoof: work indeterminately in F p x, y / Φ l, E, and replace p with p mod l to recover t mod l
38 Finding secure curves for ECC Given p, a, b, Schoof computes #E a,b (F p ) in O(log p 8 ) steps General philosophy: find a prime of the appropriate bitlength, and iterate through a and b until #E a,b (F p ) is (almost) prime. E.g., NIST: fixed p special, a = 3, iterated b as hash output until #E prime. Brainpool: p, a, b all output of iterated hash functions, until #E prime. Once (almost) prime order curve chosen, double-check other (exponentially unlikely) properties, e.g., low MOV degree, #E p, etc. What do we mean by appropriate bitlength?
39 ECDLP security and Pollard s rho algorithm The best known ECDLP algorithm on (well-chosen) elliptic curves remains generic, i.e., elliptic curves are as strong as is possible! ECDLP: given P, Q E(F p ) of prime order N, find k such that Q = k P Pollard 78: compute pseudo-random R i = a i P + b i Q until we find a collision R i = R j with b i b j, then k = (a j a i )/(b i b j ) Birthday paradox says we can expect collision after computing group elements R i, i.e., after N group operations. πn 2
40 Summary so far Elliptic curves are the only useful groups we know that are as secure as a black-box group. Upshot: use them for public-key cryptography! Old school method to setup ECC (e.g., ECDH): * choose a prime p twice the length of your target security * find a and b such that #E a,b (F p ) is prime (and check stuff) * publish E a,b /F p and a prime order generator P Old school method to compute k, P k P, etc. * work in projective space, e.g., x, y = X, Y or x, y = X, Y Z Z Z 2 * compute k P via a sequence of doublings and additions Z 3
41 Questions so far?
42 Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4: Next-generation ECC
43 What s wrong with old school ECC? Side-channel attacks: starting with Kocher 99, side-channel attacks and their countermeasures have become extremely sophisticated (cf. Lejla s tutorials from yesterday and a bunch of talks here!) Decades of new research: we now know much better/faster/simpler/safer ways to do ECC Suspicion surrounding previous standards: Snowden leaks, dual EC-DRBG backdoor, etc., lead to conjectured weaknesses in the NIST curves
44 NSA Curve P-256??? Mike Scott (1999) "So, sigh, why didn't they do it that way? Do they want to be distrusted?" Bruce Schneier (2013) I no longer trust the constants. I believe the NSA has manipulated them
45 Next generation elliptic curves 2014: CFRG receives formal request from TLS working group for recommendations for new elliptic curves 2015: NIST holds workshop on ECC standards 2015: CFRG announces two chosen curves, both specified in Montgomery (1987) form E/F p y 2 = x 3 + Ax 2 + x Bernstein s Curve25519 [2006]: p = and A = Hamburg s Goldilocks [2015]: p = and A = Both primes offer fast software implementations! Their group orders are divisible by 8 and 4, but this form offers several advantages.
46 Montgomery s fast differential arithmetic Extremely fast pseudo-doubling: xdbl X 2 P = X P + Z 2 P X P Z 2 P E/F p y 2 = x 3 + Ax 2 + x drop the y-coordinate, and work with x-only. projectively, work with X Z P 1 instead of X Y Z P 2 But (pseudo-)addition of x(p) and x(q) requires x(q P) Z 2 P = 4X P Z P ( X P Z P 2 + A + 2 X P Z P ) Extremely fast pseudo-addition: xadd 2 X P+Q = Z P Q X P Z P X Q + Z Q + X P + Z P X Q Z Q 2M + 2S Z P+Q = X P Q X P Z P X Q + Z Q X P + Z P X Q Z Q 2 4M + 2S
47 Differential additions and the Montgomery ladder Given only the x-coordinates of two points, the x-coordinate of their sum can be two possibilities Inputting the x-coordinate of the difference resolves ambiguity The (ingenious!) Montgomery ladder fixes all differences as the input point: in k, x(p) x( k P), every xadd is of the form xadd x( n + 1 P), x( n P), x(p) We carry two multiples of P up the ladder : x(q) and x Q P At i th step: compute x 2 Q P = xadd(x Q P, x Q, x P ) At i th step: pseudo-double (xdbl) one of them depending on k i
48 Fast, compact, simple, safer Diffie-Hellman Write k = σ l 1 i=0 k i 2 i with k l 1 = 1 and P = (x P, y P ) in E[n] (e.g., on Curve25519 or Goldilocks) (x 0, x 1 ) (xdbl x P, x P ) for i = l 2 downto 0 do (x 0, x 1 ) cswap k i+1 k i, x 0, x 1 (x 0, x 1 ) (xdbl x 0, xadd x 0, x 1, x P ) end for (x 0, x 1 ) cswap k 0, x 0, x 1 return x 0 (= x k P ) Inherently uniform, much easier to implement in constant-time x-only Diffie-Hellman (Miller 85): x ab P = x a b P = x( b a P ) see (Elliptic curves for security)
49 Curve25519 and Goldilocks in the real world See Elliptic curves for security Both curves integrated into TLS ciphersuites (Elliptic curves for security) In 2014, OpenSSH defaults to Curve25519 Curve25519 is used in Signal Protocol (Facebook Messenger, Google Allo, WhatsApp), ios, GnuPG, etc (
50 ECC is the best of both worlds attacker s toolbox vs. our toolbox
51 Elliptic curves: the best of both worlds attacker: generic vs. us: not generic
52 One curve to rule them all Group order is N, where N is a 246-bit prime! Fastest formulas [HCWD08] complete x 1, y 1 + x 2, y 2 = x 1y 1 + x 2 y 2 y 1 y 2 x 1 x 2, x 1y 1 x 2 y 2 x 1 y 2 y 1 x 2 Degree-2 -curve, meaning degree 2p endomorphism ψ CM by ring of integers in, meaning degree 5 endomorphism φ
53 What s an endomorphism? An endomorphism is a homomorphism from the curve to itself φ E E For our (crypto) purposes, an efficiently computable endomorphism is like a cheap teleport/shortcut to a fixed scalar multiple φ P = λ P Easy example on the Bitcoin curve E/F p : y 2 = x with p 1 mod 3, since there exists ξ F p where ξ 3 = 1 and ξ 1 For any P = x, y E, φ P = ξx, y = λ P, where λ =
54 How to use endomorphisms Recall our task: given integer k and point P, compute k P For any P, we can now quickly get the three points φ P, ψ P and ψ φ P, where φ P = λ φ P, ψ P = λ ψ P, and ψ φ P = λ φ λ ψ P k a 1, a 2, a 3, a 4 k P = a 1 P + a 2 φ P + a 3 ψ P + a 4 ψ(φ(p)) k a 1 + a 2 λ φ + a 3 λ ψ + a 4 λ φ λ ψ mod N
55 The multiscalar multiplication Computed φ(p), ψ(p), ψ(φ P ), and k a 1, a 2, a 3, a 4, now what? a 1 = a 2 = a 3 = a 4 = k = a 1 = a 2 = a 3 = a 4 = , 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 0, 0, 0, 1, 0, 0, 1, 1, 1, 1, 0, 1, 1, 1, 1, 1, 1, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1 0, 1, 0, 1, 0, 0, 0, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 1, 0, 1, 1, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 1, 1, 0, 1, 1, 0, 0, 1, 0, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 0, 0, 1, 1 0, 0, 1, 0, 0, 0, 1, 0, 1, 1, 1, 0, 1, 1, 0, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 1, 1, 0, 1, 0, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0 0, 0, 1, 1, 1, 1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 1, 0, 1, 0, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 1, 0, 0, 1, 0, 0, 1, 0, 1, 1, 1, 0, 0, 1, 0, 0, 0, 1, 0, 1, 0, 0, 1, 0, 1, 1, 1, 1, 0, 1, 0 P φ(p) ψ(p) φ ψ P Instead of multiplying by a 246-bit scalar, do a 4-way multi-scalar exponentiation by 64-bit scalars 64-doublings, 64-additions, uniform dbl-and-always-add algorithm
56 versus Curve25519 and Curve p-256 Platform C-Longa 15 Curve25519 Bernstein 06 [Cho14, ebacs][ NIST p-256 NIST 99 [GK15] Atom Pineview 442 1,109 - Intel Sandy Intel Haswell AMD Kaveri Speed (in thousands of cycles) of k, P k P on some 64-bit platforms. Platform C-Longa 15 [Lon16] Curve25519 Bernstein 06 [BS12,eBACS][ Cortex-A Cortex-A Cortex-A Cortex-A Speed (in thousands of cycles) of k, P k P on some 32-bit platforms.
57 continued Internet draft Curve4Q (by Barnes, Ladd, Longa) Fast SchorrQ signatures (based on EdDSA signature scheme) SchnorrQ.pdf Library protected against simple timing attacks, cache attacks, exception attacks, invalid curve and small subgroup attacks Version 3.0 coming soon
58 Questions?
A gentle introduction to elliptic curve cryptography
A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 5, 2017 Šibenik, Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationPost-Snowden Elliptic Curve Cryptography. Patrick Longa Microsoft Research
Post-Snowden Elliptic Curve Cryptography Patrick Longa Microsoft Research Joppe Bos Craig Costello Michael Naehrig NXP Semiconductors Microsoft Research Microsoft Research June 2013 the Snowden leaks the
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationSM9 identity-based cryptographic algorithms Part 1: General
SM9 identity-based cryptographic algorithms Part 1: General Contents 1 Scope... 1 2 Terms and definitions... 1 2.1 identity... 1 2.2 master key... 1 2.3 key generation center (KGC)... 1 3 Symbols and abbreviations...
More informationCyclic Groups in Cryptography
Cyclic Groups in Cryptography p. 1/6 Cyclic Groups in Cryptography Palash Sarkar Indian Statistical Institute Cyclic Groups in Cryptography p. 2/6 Structure of Presentation Exponentiation in General Cyclic
More informationAdvanced Constructions in Curve-based Cryptography
Advanced Constructions in Curve-based Cryptography Benjamin Smith Team GRACE INRIA and Laboratoire d Informatique de l École polytechnique (LIX) Summer school on real-world crypto and privacy Sibenik,
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationNon-generic attacks on elliptic curve DLPs
Non-generic attacks on elliptic curve DLPs Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC Summer School Leuven, September 13 2013 Smith
More informationElliptic Curve Cryptography
The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationElliptic Curves, Factorization, and Cryptography
Elliptic Curves, Factorization, and Cryptography Brian Rhee MIT PRIMES May 19, 2017 RATIONAL POINTS ON CONICS The following procedure yields the set of rational points on a conic C given an initial rational
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationElliptic Curve Cryptography with Derive
Elliptic Curve Cryptography with Derive Johann Wiesenbauer Vienna University of Technology DES-TIME-2006, Dresden General remarks on Elliptic curves Elliptic curces can be described as nonsingular algebraic
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationABHELSINKI UNIVERSITY OF TECHNOLOGY
Identity-Based Cryptography T-79.5502 Advanced Course in Cryptology Billy Brumley billy.brumley at hut.fi Helsinki University of Technology Identity-Based Cryptography 1/24 Outline Classical ID-Based Crypto;
More informationHyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago
Hyperelliptic-curve cryptography D. J. Bernstein University of Illinois at Chicago Thanks to: NSF DMS 0140542 NSF ITR 0716498 Alfred P. Sloan Foundation Two parts to this talk: 1. Elliptic curves; modern
More informationElliptic curves. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J. Bernstein
Elliptic curves Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Diffie-Hellman key exchange Pick some generator. Diffie-Hellman key exchange Pick some generator. Diffie-Hellman
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationPublic-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.
Public-key cryptography and the Discrete-Logarithm Problem Tanja Lange Technische Universiteit Eindhoven with some slides by Daniel J. Bernstein Cryptography Let s understand what our browsers do. Schoolbook
More informationOn the complexity of computing discrete logarithms in the field F
On the complexity of computing discrete logarithms in the field F 3 6 509 Francisco Rodríguez-Henríquez CINVESTAV-IPN Joint work with: Gora Adj Alfred Menezes Thomaz Oliveira CINVESTAV-IPN University of
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationHigh-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition
High-Performance Scalar Multiplication using 8-Dimensional GLV/GLS Decomposition Joppe W. Bos, Craig Costello, Huseyin Hisil, Kristin Lauter CHES 2013 Motivation - I Group DH ECDH (F p1, ) (E F p2, +)
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationFast, twist-secure elliptic curve cryptography from Q-curves
Fast, twist-secure elliptic curve cryptography from Q-curves Benjamin Smith Team GRACE INRIA Saclay Île-de-France Laboratoire d Informatique de l École polytechnique (LIX) ECC #17, Leuven September 16,
More informationCo-Z Addition Formulæ and Binary Ladders on Elliptic Curves. Raveen Goundar Marc Joye Atsuko Miyaji
Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Co-Z Addition Formulæ and Binary Ladders on Elliptic Curves Raveen Goundar Marc Joye Atsuko Miyaji Elliptic
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationFaster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves
Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves Junfeng Fan, Frederik Vercauteren and Ingrid Verbauwhede Katholieke Universiteit Leuven, COSIC May 18, 2009 1 Outline What is
More informationDefinition of a finite group
Elliptic curves Definition of a finite group (G, * ) is a finite group if: 1. G is a finite set. 2. For each a and b in G, also a * b is in G. 3. There is an e in G such that for all a in G, a * e= e *
More informationElliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography
Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret
More informationAspects of Pairing Inversion
Applications of Aspects of ECC 2007 - Dublin Aspects of Applications of Applications of Aspects of Applications of Pairings Let G 1, G 2, G T be groups of prime order r. A pairing is a non-degenerate bilinear
More informationFast Cryptography in Genus 2
Fast Cryptography in Genus 2 Joppe W. Bos, Craig Costello, Huseyin Hisil and Kristin Lauter EUROCRYPT 2013 Athens, Greece May 27, 2013 Fast Cryptography in Genus 2 Recall that curves are much better than
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationAn Introduction to Elliptic Curve Cryptography
Harald Baier An Introduction to Elliptic Curve Cryptography / Summer term 2013 1/22 An Introduction to Elliptic Curve Cryptography Harald Baier Hochschule Darmstadt, CASED, da/sec Summer term 2013 Harald
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationConstructing genus 2 curves over finite fields
Constructing genus 2 curves over finite fields Kirsten Eisenträger The Pennsylvania State University Fq12, Saratoga Springs July 15, 2015 1 / 34 Curves and cryptography RSA: most widely used public key
More informationIntroduction to Arithmetic Geometry
Introduction to Arithmetic Geometry 18.782 Andrew V. Sutherland September 5, 2013 What is arithmetic geometry? Arithmetic geometry applies the techniques of algebraic geometry to problems in number theory
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #9 Sep 22 nd 2005 CSCI 6268/TLEN 5831, Fall 2005 Announcements Midterm #1, next class (Tues, Sept 27 th ) All lecture materials and readings
More informationSide-channel attacks on PKC and countermeasures with contributions from PhD students
basics Online Side-channel attacks on PKC and countermeasures (Tutorial @SPACE2016) with contributions from PhD students Lejla Batina Institute for Computing and Information Sciences Digital Security Radboud
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More information2.1 Affine and Projective Coordinates
1 Introduction Depending how you look at them, elliptic curves can be deceptively simple. Using one of the easier definitions, we are just looking at points (x,y) that satisfy a cubic equation, something
More informationElliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.
Elliptic Curves I 1.0 Introduction The first three sections introduce and explain the properties of elliptic curves. A background understanding of abstract algebra is required, much of which can be found
More informationElliptic Curves and an Application in Cryptography
Parabola Volume 54, Issue 1 (2018) Elliptic Curves and an Application in Cryptography Jeremy Muskat 1 Abstract Communication is no longer private, but rather a publicly broadcast signal for the entire
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/
More informationElliptic Curves: Theory and Application
s Phillips Exeter Academy Dec. 5th, 2018 Why Elliptic Curves Matter The study of elliptic curves has always been of deep interest, with focus on the points on an elliptic curve with coe cients in certain
More informationEfficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves
Efficient and Secure Algorithms for GLV-Based Scalar Multiplication and Their Implementation on GLV-GLS Curves SESSION ID: CRYP-T07 Patrick Longa Microsoft Research http://research.microsoft.com/en-us/people/plonga/
More informationFundamentals of Modern Cryptography
Fundamentals of Modern Cryptography BRUCE MOMJIAN This presentation explains the fundamentals of modern cryptographic methods. Creative Commons Attribution License http://momjian.us/presentations Last
More informationElliptic Curves and Public Key Cryptography
Elliptic Curves and Public Key Cryptography Jeff Achter January 7, 2011 1 Introduction to Elliptic Curves 1.1 Diophantine equations Many classical problems in number theory have the following form: Let
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationSoftware implementation of ECC
Software implementation of ECC Radboud University, Nijmegen, The Netherlands June 4, 2015 Summer school on real-world crypto and privacy Šibenik, Croatia Software implementation of (H)ECC Radboud University,
More informationElliptic Curve Cryptosystems
Elliptic Curve Cryptosystems Santiago Paiva santiago.paiva@mail.mcgill.ca McGill University April 25th, 2013 Abstract The application of elliptic curves in the field of cryptography has significantly improved
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationElliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.
Elliptic Curves Cryptography and factorization Part VIII Elliptic curves cryptography and factorization Cryptography based on manipulation of points of so called elliptic curves is getting momentum and
More informationFast point multiplication algorithms for binary elliptic curves with and without precomputation
Fast point multiplication algorithms for binary elliptic curves with and without precomputation Thomaz Oliveira 1 Diego F. Aranha 2 Julio López 2 Francisco Rodríguez-Henríquez 1 1 CINVESTAV-IPN, Mexico
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu Outline Applications Elliptic Curve Group over real number and F p Weil Pairing BasicIdent FullIdent Extensions Escrow
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationElliptic Curve Computations
Elliptic Curve Computations New Mexico Supercomputing Challenge Final Report April 1st, 2009 Team 66 Manzano High School Team Members Kristin Cordwell Chen Zhao Teacher Stephen Schum Project Mentor William
More informationSuppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:
Elliptic Curve Cryptography Jim Royer CIS 428/628: Introduction to Cryptography November 6, 2018 Suppose F is a field and a 1,..., a 6 F. Definition 1. An elliptic curve E over a field F is a curve given
More informationDiscrete Logarithm Problem
Discrete Logarithm Problem Çetin Kaya Koç koc@cs.ucsb.edu (http://cs.ucsb.edu/~koc/ecc) Elliptic Curve Cryptography lect08 discrete log 1 / 46 Exponentiation and Logarithms in a General Group In a multiplicative
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 17: Elliptic Curves and Applications Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline We previously looked at discrete
More informationPublic Key Algorithms
Public Key Algorithms Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-09/
More informationDaniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven. Tanja Lange Technische Universiteit Eindhoven
ECCHacks: a gentle introduction to elliptic-curve cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange Technische Universiteit Eindhoven ecchacks.cr.yp.to
More informationElliptic Curve Cryptography
Areas for Discussion Elliptic Curve Cryptography Joseph Spring Department of Computer Science 7COM1027 - Distributed Systems Security Lecture - Elliptic Curves 1 1 Motivation Elliptic Curves Security of
More informationThe odd couple: MQV and HMQV
The odd couple: MQV and HMQV Jean-Philippe Aumasson 1 / 49 Summary MQV = EC-DH-based key agreement protocol, proposed by Menezes, Qu and Vanstone (1995), improved with Law and Solinas (1998), widely standardized
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationElliptic Curve Cryptography
AIMS-VOLKSWAGEN STIFTUNG WORKSHOP ON INTRODUCTION TO COMPUTER ALGEBRA AND APPLICATIONS Douala, Cameroon, October 12, 2017 Elliptic Curve Cryptography presented by : BANSIMBA Gilda Rech BANSIMBA Gilda Rech
More informationElliptic curves and their cryptographic applications
Eastern Washington University EWU Digital Commons EWU Masters Thesis Collection Student Research and Creative Works 2013 Elliptic curves and their cryptographic applications Samuel L. Wenberg Eastern Washington
More informationModern elliptic curve cryptography
Modern elliptic curve cryptography Ivo Kubjas 1 Introduction Elliptic curve cryptography has raised attention as it allows for having shorter keys and ciphertexts. For example, to obtain similar security
More informationCongruent number elliptic curves of high rank
Michaela Klopf, BSc Congruent number elliptic curves of high rank MASTER S THESIS to achieve the university degree of Diplom-Ingenieurin Master s degree programme: Mathematical Computer Science submitted
More informationElliptic Curve Cryptography
Technical Guideline BSI TR-03111 Elliptic Curve Cryptography Version 2.10 Date: 2018-06-01 History Version Date Comment 1.00 2007-02-14 Initial public version. 1.10 2009-02-03 Enhancements, corrections,
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationFour-Dimensional GLV Scalar Multiplication
Four-Dimensional GLV Scalar Multiplication ASIACRYPT 2012 Beijing, China Patrick Longa Microsoft Research Francesco Sica Nazarbayev University Elliptic Curve Scalar Multiplication A (Weierstrass) elliptic
More informationLecture 6: Cryptanalysis of public-key algorithms.,
T-79.159 Cryptography and Data Security Lecture 6: Cryptanalysis of public-key algorithms. Helsinki University of Technology mjos@tcs.hut.fi 1 Outline Computational complexity Reminder about basic number
More informationThe Application of the Mordell-Weil Group to Cryptographic Systems
The Application of the Mordell-Weil Group to Cryptographic Systems by André Weimerskirch A Thesis Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements
More informationPoints of High Order on Elliptic Curves ECDSA
! Independent thesis advanced level (degree of master (two years)) Points of High Order on Elliptic Curves ECDSA Author: Behnaz Kouchaki Barzi Supervisor: Per-Anders Svensson Examiner: Andrei Khrennikov
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationDiscrete Logarithm Computation in Hyperelliptic Function Fields
Discrete Logarithm Computation in Hyperelliptic Function Fields Michael J. Jacobson, Jr. jacobs@cpsc.ucalgary.ca UNCG Summer School in Computational Number Theory 2016: Function Fields Mike Jacobson (University
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationIntroduction to ECC. Nigel Smart. January 17, Nigel Smart Introduction to ECC Slide 1
Introduction to ECC nigel@cs.bris.ac.uk January 17, 2013 Introduction to ECC Slide 1 Why the need for Elliptic Curves? Introduction to ECC Slide 2 Discrete logarithm problem example Let p = 10535462803950169753046165829339587319488718149259
More informationKatherine Stange. ECC 2007, Dublin, Ireland
in in Department of Brown University http://www.math.brown.edu/~stange/ in ECC Computation of ECC 2007, Dublin, Ireland Outline in in ECC Computation of in ECC Computation of in Definition A integer sequence
More informationSEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY
SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY OFER M. SHIR, THE HEBREW UNIVERSITY OF JERUSALEM, ISRAEL FLORIAN HÖNIG, JOHANNES KEPLER UNIVERSITY LINZ, AUSTRIA ABSTRACT. The area of elliptic curves
More informationFaster ECC over F 2. School of Computer and Communication Sciences EPFL, Switzerland 2 CertiVox Labs.
Faster ECC over F 2 521 1 Robert Granger 1 and Michael Scott 2 1 Laboratory for Cryptologic Algorithms School of Computer and Communication Sciences EPFL, Switzerland robbiegranger@gmail.com 2 CertiVox
More informationElliptic Curves Spring 2013 Lecture #12 03/19/2013
18.783 Elliptic Curves Spring 2013 Lecture #12 03/19/2013 We now consider our first practical application of elliptic curves: factoring integers. Before presenting the elliptic curve method (ECM) for factoring
More informationECC mod 8^91+5. especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown, BlackBerry CFRG, Prague, 2017 July 18
ECC mod 8^91+5 especially elliptic curve 2y^2=x^3+x for cryptography Andrew Allen and Dan Brown, BlackBerry CFRG, Prague, 2017 July 18 2y 2 =x 3 +x/gf(8 91 +5) Simplest secure and fast ECC? Benefits of
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationCHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux
CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S Ant nine J aux (g) CRC Press Taylor 8* Francis Croup Boca Raton London New York CRC Press is an imprint of the Taylor &
More informationOther Public-Key Cryptosystems
Other Public-Key Cryptosystems Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: 10-1 Overview 1. How to exchange
More informationSelecting Elliptic Curves for Cryptography: An Eciency and Security Analysis
Selecting Elliptic Curves for Cryptography: An Eciency and Security Analysis Joppe W. Bos, Craig Costello, Patrick Longa and Michael Naehrig Microsoft Research, USA Abstract. We select a set of elliptic
More informationLow-Resource and Fast Elliptic Curve Implementations over Binary Edwards Curves
Rochester Institute of Technology RIT Scholar Works Theses Thesis/Dissertation Collections 5-2016 Low-Resource and Fast Elliptic Curve Implementations over Binary Edwards Curves Brian Koziel bck6520@rit.edu
More information