The Elliptic Curve in https

Similar documents
Public-key Cryptography and elliptic curves

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

8 Elliptic Curve Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Public-key Cryptography and elliptic curves

CPSC 467b: Cryptography and Computer Security

Elliptic Curves and an Application in Cryptography

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

CPSC 467: Cryptography and Computer Security

Lecture 1: Introduction to Public key cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Cryptography. P. Danziger. Transmit...Bob...

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Lecture Notes, Week 6

MATH 158 FINAL EXAM 20 DECEMBER 2016

Elliptic Curve Cryptography

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

CPSC 467b: Cryptography and Computer Security

Asymmetric Encryption

Other Public-Key Cryptosystems

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Introduction to Elliptic Curve Cryptography. Anupam Datta

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Cryptography IV: Asymmetric Ciphers

CRYPTOGRAPHY AND NUMBER THEORY

Chapter 8 Public-key Cryptography and Digital Signatures

Public-Key Cryptosystems CHAPTER 4

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Lecture 7: ElGamal and Discrete Logarithms

9 Knapsack Cryptography

Lattice-Based Cryptography

Sharing a Secret in Plain Sight. Gregory Quenell

Chapter 4 Asymmetric Cryptography

Introduction to Cryptography. Lecture 8

Asymmetric Cryptography

Public Key Algorithms

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Public Key Cryptography

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Question: Total Points: Score:

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

Elliptic Curve Cryptography

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Public-key cryptography and the Discrete-Logarithm Problem. Tanja Lange Technische Universiteit Eindhoven. with some slides by Daniel J.

Introduction to Modern Cryptography. Benny Chor

Lecture V : Public Key Cryptography

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Points of High Order on Elliptic Curves ECDSA

Number theory (Chapter 4)

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Other Public-Key Cryptosystems

Mathematics of Public Key Cryptography

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Fundamentals of Modern Cryptography

One can use elliptic curves to factor integers, although probably not RSA moduli.

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

CRYPTOGRAPHY AND LARGE PRIMES *

CIS 551 / TCOM 401 Computer and Network Security

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

Great Theoretical Ideas in Computer Science

Introduction to Modern Cryptography. Benny Chor

Practice Assignment 2 Discussion 24/02/ /02/2018

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Curves, Cryptography, and Primes of the Form x 2 + y 2 D

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

Elliptic Curve Cryptography with Derive

Mathematics of Cryptography

Public Key Cryptography

Eindhoven University of Technology MASTER. Kleptography cryptography with backdoors. Antheunisse, M. Award date: 2015

1 Number Theory Basics

Introduction to Elliptic Curve Cryptography

Topics in Cryptography. Lecture 5: Basic Number Theory

Math/Mthe 418/818. Review Questions

AN INTRODUCTION TO THE UNDERLYING COMPUTATIONAL PROBLEM OF THE ELGAMAL CRYPTOSYSTEM

CPSC 467: Cryptography and Computer Security

10 Public Key Cryptography : RSA

RSA. Ramki Thurimella

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

Solution to Midterm Examination

Gurgen Khachatrian Martun Karapetyan

Cryptography. pieces from work by Gordon Royle

Information Security

International Electronic Journal of Pure and Applied Mathematics IEJPAM, Volume 9, No. 1 (2015)

My brief introduction to cryptography

Arithmétique et Cryptographie Asymétrique

An Introduction to Elliptic Curve Cryptography

APPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW

Elliptic Curve Cryptography

Notes for Lecture 17

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

KEY EXCHANGE PROTOCOL WITH GAUSSIAN INTEGER MATRICES

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Transcription:

The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1

The s in https:// HyperText Transfer Protocol Secure Uses algebra, number theory, and algebraic geometry to verify the identity of the web page (no fake cave) make sure communication is encrypted (no eavesdroppers) Main players: RSA (see Algebra 1) Elliptic Curve Cryptography Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 6

Examples of use of ECC in the real world Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 7

Encryption (protection against eavesdroppers) Alice Bob key e key d M E (encrypt) C D (decrypt) M Symmetric cryptography: one key d = e = k is shared Example: Caesar code E shifts every letter forward by k in the alphabet D shifts every letter backward by k in the alphabet k = 3: DELFT GHOIW DELFT More modern encryption (AES) is safe and fast, but... need to share a key k first! Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 8

Asymmetric cryptography Alice Bob key e key d M E (encrypt) C D (decrypt) M Symmetric cryptography: one key d = e = k is shared Asymmetric cryptography: d e; e is made public Examples: everyone can encrypt messages that only Bob can read; Bob makes signatures that everyone can verify. One way functions. Impossible? Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 8

The integers modulo 7 with the rules F 7 = {0, 1, 2, 3, 4, 5, 6} x + y = z, where z is remainder of x + y on division by 7 x y = z, where z is remainder of x y on division by 7 Examples: 2 4 = 2 2 2 2 = 2 3 + 6 = 2 because 3 + 6 = 9 = 1 7 + 2 5 4 = 6 because 5 4 = 20 = 2 7 + 6 Satisfies many rules of arithmetic such as x ab = (x a ) b. (It is a ring.) Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 9

Exponentiation modulo 1000003 Examples of multiplication in F 1000003 = F 1000003 \ {0}: 1001 2 = 1002001 = 1998 1001 4 = 1998 2 = 991995 1001 8 = 991995 2 = 1001 16 = ( ) 2 = 1001 32 = ( ) 2 = 1001 10000 =???? 10000 = 2 13 + 2 10 + 2 9 + 2 8 + 2 4, so g 10000 = g (213 ) g (2 10 ) g (2 9 ) g (2 8 ) g (2 4 ). Takes not 9999 multiplications, but only 17. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 10

Exponentiation modulo p = 2 256 2 224 + 2 192 + 2 96 1 Let g F p, a Z with 77 digits, say p = 115792089210356248762697446949407573530086143415290314195533631308867097853951, g = 40929056875212190070682550560009930198227808570709790430510819830666007717983, a = 34045128435571965610752072282621814455526057737889900435563329387397872203496. Computing h = g a takes not 3.4 10 76 multiplications in F p, but only 377. Phew! So: easy to compute the map a g a. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 11

Exponentiation modulo p = 2 256 2 224 + 2 192 + 2 96 1 Let g F p, a Z with 77 digits, p = 115792089210356248762697446949407573530086143415290314195533631308867097853951, g = 40929056875212190070682550560009930198227808570709790430510819830666007717983, a = 34045128435571965610752072282621814455526057737889900435563329387397872203496. Computing h = g a takes not 3.4 10 76 multiplications in F p, but only 377. Phew! So: easy to compute the map a g a. Inverse? Given g and h = g a, find a. (Discrete log problem (DLP) in F p) Naive algorithm: try g 1 = h?, g 2 = h?, g 3 = h?,... Need 3.4 10 76 tries to find a. Takes impossibly long! We have our one way map: a g a. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 11

Exponentiation modulo p = 2 256 2 224 + 2 192 + 2 96 1 Given g and h = g a, find a. (Discrete log problem (DLP) in F p) Naive algorithm: try g 1 = h?, g 2 = h?, g 3 = h?,... Need 3.4 10 76 tries to find a. Takes impossibly long! We have our one way map: a g a. There exist encryption and digital signatures based on the DLP. Instead, I will explain a simpler cryptographic protocol. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 11

Diffie-Hellman key exchange (1976) Goal: agree on a key for symmetric encryption Public parameters: p a prime number, g F p. Alice (communication channel) Bob random a Z compute g a g a g b random b Z compute g b compute g (ab) = (g b ) a and use as key compute g (ab) = (g a ) b and use as key Given only p, g, g a, g b, it is believed to be hard to find g (ab). Finding a is the discrete logarithm problem in F p, and breaks the scheme. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 12

Elliptic curves Next: what are elliptic curves, and why are they better? Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 13

Elliptic curves Consider the curve in the (x, y)-plane R 2 given by the equation y 2 = x 3 3x. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 14

Elliptic curves Consider the curve in the (x, y)-plane R 2 given by the equation y 2 = x 3 3x. Q P Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 14

Elliptic curves Consider the curve in the (x, y)-plane R 2 given by the equation y 2 = x 3 3x. Q P P Q Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 14

Elliptic curves Consider the curve in the (x, y)-plane R 2 given by the equation y 2 = x 3 3x. Q P P Q We get an addition law + on the set E(R) of points, including one extra point 0 at infinity. + satisfies standard rules of arithmetic such as (P + Q) + R = P + (Q + R) (E(R) is a group ). np = P + P + + P Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 14

Formulas (up to typos) Given P = (x 1, y 1 ), Q = (x 2, y 2 ) E(R). If x 1 = x 2 and y 1 = y 2, then P + Q = 0. Otherwise, P + Q = (x 3, y 3 ), where: If x 1 x 2, then ( ) y2 y 2 ( ) 1 y2 y 1 x 3 = x 1 x 2, y 3 = x 3 y 1x 2 y 2 x 1 ; x 2 x 1 x 2 x 1 x 2 x 1 If x 1 = x 2, then x 3 = (x 2 + 3) 2 4x(x 2 3), y 3 = 3x 3(x 2 1) + x 3 + 3x 2y 1. So defining E and + only uses arithmetic. In particular, we can define elliptic curves over F p and add points on them! Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 15

Elliptic curves over F p Defining E and + only uses arithmetic. In particular, we can define elliptic curves over F p and add points on them! Example: y 2 = x 3 3x over F 17. G = (3, 1) E(F 17 ) (as 1 2 = 3 3 3 3) Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 16

The elliptic curve discrete logarithm problem Example: y 2 = x 3 3x over F 17. G = (3, 1) E(F 17 ) (as 3 2 3 3 = 1 2 ) 2G = (2, 11) 4G = 2(2G) = (4, 16) 8G = 2(4G) = (1, 10) 16G = 2(8G) = (15, 7) So 18G = 16G + 2G = (1, 7) takes not 17 but only 6 additions. Now suppose p 2 256. Computing ag with a 2 256 10 77 takes not 10 77 additions but less than 500. The elliptic curve discrete log problem asks: given p, E, G E(F p ), H = ag, compute a. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 17

Diffie-Hellman key exchange (1976) Goal: agree on a key for symmetric encryption Public parameters: p a prime number, g F p. Alice (communication channel) Bob random a Z compute g a g a g b random b Z compute g b compute g (ab) = (g b ) a and use as key compute g (ab) = (g a ) b and use as key Given only p, g, g a, g b, it is believed to be hard to find g (ab). Finding a is the discrete logarithm problem in F p, and breaks the scheme. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 18

Elliptic Curve cryptography, Koblitz and Miller (1985) Replace F p by E(F p ) in any discrete log cryptosystem, e.g.: Public parameters: p a prime number, E elliptic curve, G E(F p ). Alice (communication channel) Bob random a Z compute ag ag bg random b Z compute bg compute (ab)g = a(bg) and use as key compute (ab)g = b(ag) and use as key Given only E, G, ag, bg, it is believed to be hard to find (ab)g. Finding a is the discrete logarithm problem in E(F p ), and breaks the scheme. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 18

Fast attacks So far, only mentioned naive attack: try a = 1, a = 2, a = 3,... There exist much faster methods for solving the discrete log problem in F p based on algebraic geometry and algebraic number theory. To make these attacks infeasible, for F p-cryptography use not p 2 256 (77 digits), but use p 2 3072 (924 digits). For EC discrete logs, no fast attacks are known (in spite of much effort!), and working with 77 digits is safe. This makes ECC much more efficient at the same security level! Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 19

Example: Gmail (screenshots of Firefox) Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 20

Example: Facebook (screenshots of Chrome) Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 22

The ECC standard curve secp256r1 p = 2 256 2 224 + 2 192 + 2 96 1 E given by where y 2 = x 3 3x + b, b =41058363725152142129326129780047268409114441015993725554835256314039467401291 G =(48439561293906451759052585252797914202762949526041747995844080717082404635286, 36134250956749795798585127919587881956611106672985015071877198253568414405109) Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 24

Conclusions Geometry exists not only over R, but also over F p (integers modulo p). https always uses algebra, geometry, number theory for setting up the connection (RSA, Diffie-Hellman, ECC). Elliptic curves are used by Google Mail and Facebook. Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback