Elliptic Curve Cryptography

Transcription

1 Areas for Discussion Elliptic Curve Cryptography Joseph Spring Department of Computer Science 7COM Distributed Systems Security Lecture - Elliptic Curves 1 1 Motivation Elliptic Curves Security of ECC Lecture - Elliptic Curves 1 2 Motivation Majority of products/standards using public key cryptography for encryption and digital signatures use RSA Bit length for secure RSA however, has increased in recent years putting heavier processing loads on applications that use RSA This has had subsequent consequences for e- commerce sites that carry out a lot of secure transactions Lecture - Elliptic Curves 1 3 Motivation Elliptic Curve Cryptography (ECC) is a recent development in the field of public key systems - a new challenger to RSA ECC already appears in Standardisation documents e.g. IEEE P1363 Standard for Public Key Cryptography Lecture - Elliptic Curves 1 4 Motivation Attraction ECC appears to offer the same security for far smaller bit size - thus reducing processing time Theory for ECC longstanding Concern lies in ECC products are a recent innovation Sustained cryptanalytic interest looking for weaknesses in ECC are recent Hence, confidence in ECC not yet as high as in RSA Lecture - Elliptic Curves 1 5 Diophantine Equations Elliptic curves belong to a class of equations known as Diophantine Equations which are polynomial equations in one or more variables for which we seek either integer or rational solutions For example: X + Y = Z x + y = z Pythagorean Triples Fermats equation of degree x Dy = 1 Pells Equation (D being a non square integer) Lecture - Elliptic Curves 1 6

2 Elliptic Curves - Form of Equation In general Elliptic Curves are of the form: 2 y + axy+ by = x + cx + dx+ e where a, b, c and d are real numbers satisfying some simple conditions Included in the definition of any elliptic curve is an element 0 referred to as the point at infinity or the zero point Such equations are said to be cubic or of order 3 the highest power they contain is a 3 Lecture - Elliptic Curves 1 7 Elliptic Curves - Form of Equation Examples 1 y = x x = y x x 1 (see p299 of course text for graphs of examples) Sketch the following elliptic curves: y = x + y x x = y = x x + Lecture - Elliptic Curves 1 8 Lecture - Elliptic Curves 1 9 Lecture - Elliptic Curves 1 10 Lecture - Elliptic Curves 1 11 Lecture - Elliptic Curves 1 12

3 Elliptic Curves - Graphs Note Elliptic curves are not Ellipses the graph of an ellipse looks like a flattened circle equations for an elliptic curve are similar to those used to calculate the circumference of an ellipse Lecture - Elliptic Curves 1 13 Lecture - Elliptic Curves 1 14 A form of addition may be defined upon the set of points on an Elliptic curve E such that an Abelian Group (E,+) results. We begin with the following definition: Definition If three points lie on an elliptic curve E and at the same time also lie on a straight line then their sum is DEFINED to be 0 the point at infinity or zero point (see pp 300 of course text) Lecture - Elliptic Curves is referred to as the additive identity. So 0 = - 0 and in particular P + 0 = P for all points P lying on the Elliptic curve E A vertical line meets the elliptic curve E at two points P 1 = (x, y) and P 2 = (x, -y) with the same x coordinate. It also meets the curve at the infinity point 0. Hence P 1 + P = 0 and P 1 = - P 2 So the negative of a point P = (x,y) is a point with the same x co-ordinate but negative y co-ordinate. Namely: P = (x, -y) Lecture - Elliptic Curves 1 16 The addition of two points with different x coordinates may now be defined: Case 1 Q R straight line non-tangential Draw a straight line between points Q and R. The straight line intersects the Elliptic Curve E again at the point P 1. Case 2 Q R straight line tangential at Q In this case we take P 1 = Q Case 3 Q R straight line tangential at R In this case we take P 1 = R Lecture - Elliptic Curves 1 17 In each of Cases 1, 2 and 3 it follows that Q + R + P 1 = 0 and hence that Q + R = - P 1 Note: To double a point Q we simply draw the tangent to the Elliptic curve E at Q find the third point S. Then: Q + Q = 2Q = -S Lecture - Elliptic Curves 1 18

4 Now that we have a construction allowing us to add any two points on an Elliptic curve E we can investigate the Associative and Commutative Properties of Addition As mentioned earlier it transpires that the points on an Elliptic curve form an Abelian group - the properties of which follow on the next slide. Can you find a proof for the commutative and associativity properties Lecture - Elliptic Curves 1 19 Properties Let E be an Elliptic Curve; Q, -Q, R and S be points on E; and 0 be the point at infinity / zero point 1 Identity Law, Q + 0 = 0 + Q = Q (additive identity) 2Commutative Law Q + R = R + Q 3 Associative Law Q + (R + S) = (Q + R) + S 4 Inverse Law Q + (-Q) = (-Q) + Q = 0 (additive inverse) Lecture - Elliptic Curves 1 20 A Finite Field is a field F that has a finite number of elements The order of F is the number of elements in F Facts 1 If F is a finite field then F contains p m elements where p is prime and m is an integer greater than or equal to 1 2 For m = 1 we work with the Galois Field GF(p) For m > 1 we work with the Galois Field GF(p m ) where all arithmetic is carried out with irreducible polynomials of degree m Lecture - Elliptic Curves 1 21 We are interested in the Elliptic Group mod p where p is a prime number 3. This is formed as follows: Choose two non negative whole numbers a and b less than p, (So ab, p ) such that: 3 2 4a + 27 b (mod p) 0 Then E p(a, b) denotes the elliptic group mod p The points ( xy, ) p p satisfy the equation F : y = x + ax+ b (mod p) and include O the point at infinity. Lecture - Elliptic Curves 1 22 Procedure 1 The points on F can be found by calculating 3 z = x + ax+ b (mod p) for each x p and then calculating the corresponding y 2 This will only be possible if z is a quadratic residue z = y 2 (mod p ) Lecture - Elliptic Curves Eulers criterion (E Kranakis,Cryptography and Primality, 1986) p 1 2 z is a quadratic residue z = 1 ( mod p) 4If z is a quadratic residue then we can find y p+ 1 y =± z 4, provided p can be written as p= 3 mod 4 Lecture - Elliptic Curves 1 24

5 Example 1 See p337 of Course text for Elliptic Curve E 23 (1, 1) 2 We Consider E 11 (1, 5) F y = x + x+ : 5 (mod11) a + b = + = + = = ( mod11) a + b 3 2 So (mod11) Also p = 11= 3mod 4, so the values for z (and hence y) are found for each value of x Lecture - Elliptic Curves 1 25 Example The points on the Elliptic Curve y 2 = x 3 + x + 5 x z = x 3 + x + 5 Quadratic Residue y (x, y) 0 5 Yes 4, 7 (0, 4), (0, 7) 1 7 No 2 4 Yes 2, 9 (2, 2), (2, 9) 3 2 No 4 7 No 5 3 Yes 5, 6 (5, 5), (5, 6) 6 7 No 7 3 Yes 5, 6 (7, 5), (7, 6) 8 8 No 9 6 No 10 3 Yes 5, 6 (10, 5), (10, 6) Lecture - Elliptic Curves 1 26 We have seen that by choosing a suitable operator + the points on an Elliptic Curve form an Abelian Group So given an Elliptic Curve F and points P F and Q F it follows that P + Q F The rules for addition in E p(a, b) are outlined on pages of the course text. Work through the examples!!! Lecture - Elliptic Curves 1 27 Exercise Show that for E 11 (1, 5), given that P = ( 0, 7 ) then: P = ( 0, 7 ) 6P = ( 7, 6 ) 2P = ( 5, 6 ) 7P = ( 2, 9 ) 3P = ( 10, 6 ) 8P = ( 10, 5 ) 4P = ( 2, 2 ) 9P = ( 5, 5 ) 5P = ( 7, 5 ) 10P = ( 0, 4 ) How do these correspond to our earlier findings? Lecture - Elliptic Curves 1 28 We consider two cipher systems based on elliptic curves. The following points holds for both systems: 1 Let F be an Elliptic Curve defined for p with p prime and p > 3 2 Let P be a point on the Elliptic Curve so P F 3 Choose a number α as secret exponent α a positive whole number 4Define Q = αp, so Q F 5 The public key consists of P and Q 6 The private key is α Lecture - Elliptic Curves 1 29 There are several approaches to encryption/decryption using Elliptic Curves First the plaintext m is encoded as a point P m = ( x, y ) Next the point P m is encrypted as ciphertext Finally the ciphertext point is decrypted There are several approaches to encoding which we will not address. There are relatively straightforward techniques available Lecture - Elliptic Curves 1 30

6 The El-Gamal cipher system based on Elliptic Curves 1 Let the message M = (u 1, u 2 ) F 2 Let k be a random number 3 Define encipherment to be C = e(m,k) = (v 1, v 2 ) where v 1 = kp, and v 2 = M + kq 4 Define decipherment to be M = d(c,α) = v 2 - αv 1 = (M + kq) - αkp Recall αp = Q hence result follows. Lecture - Elliptic Curves 1 31 The message is said to be masked by adding kp to it Only Alice knows the value of k Although Q is public the mask kq cannot be removed unless the private key α is known For Eve to obtain the message she would have to deduce k and/or α given only P and Q The strength of the algorithm lies in the difficulty of finding α given P and Q. This is known as the Elliptic Curve Logarithm Problem The disadvantage of the algorithm lies in fact that the messages to be encrypted must be points on the curve F Lecture - Elliptic Curves 1 32 El-Gamel Example Lecture - Elliptic Curves 1 33 The Menezes-Vanstone Cipher System based on Elliptic Curves 1 Let the message M = (u 1, u 2 ) F 2 Let k be a random number 3 Define encipherment to be C = e(m,k) = (y 0, y 1, y 2 ) where y 0 = kp, and (c 1, c 2 ) = kq, y 1 = c 1 u 1 mod p and y 2 = c 2 u 2 mod p Lecture - Elliptic Curves 1 34 The Menezes-Vanstone Cipher System based on Elliptic Curves (continued) Menezes-Vanstone Example 4 Define decipherment to be M = d(c, α) = (y c ( mod p), y c ( mod p) ) where αy = ( c, c ) Lecture - Elliptic Curves 1 35 Lecture - Elliptic Curves 1 36

7 Security of Elliptic Curve Cryptography Summary See p344 of the course text Motivation Elliptic Curves Security of ECC Lecture - Elliptic Curves 1 37 Lecture - Elliptic Curves 1 38 References William Stallings: Cryptography and Network Security Jan C A Van Der Lubbe: Basic Methods of Cryptography Joseph H Silverman: A Friendly introduction to Number Theory Douglas R Stinson: Cryptography - Theory and Practice N Koblitz: A Course in Number Theory and Cryptography B Schneier: Applied Cryptography Lecture - Elliptic Curves 1 39 References William Stallings: Cryptography and Network Security Jan C A Van Der Lubbe: Basic Methods of Cryptography Joseph H Silverman: A Friendly introduction to Number Theory Douglas R Stinson: Cryptography - Theory and Practice N Koblitz: A Course in Number Theory and Cryptography Lecture - Elliptic Curves 1 40