Introduction to Elliptic Curve Cryptography. Anupam Datta

Similar documents
Public Key Cryptography

Introduction to Cryptography. Lecture 8

One can use elliptic curves to factor integers, although probably not RSA moduli.

Lecture Notes, Week 6

Elliptic Curve Cryptography

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Introduction to Elliptic Curve Cryptography

Public-key Cryptography and elliptic curves

8 Elliptic Curve Cryptography

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Public-key Cryptography and elliptic curves

Elliptic Curve Cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Topics in Cryptography. Lecture 5: Basic Number Theory

Introduction to Cybersecurity Cryptography (Part 4)

MATH 158 FINAL EXAM 20 DECEMBER 2016

Chapter 8 Public-key Cryptography and Digital Signatures

An Introduction to Elliptic Curve Cryptography

Points of High Order on Elliptic Curves ECDSA

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

CPSC 467b: Cryptography and Computer Security

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Other Public-Key Cryptosystems

Lecture 1: Introduction to Public key cryptography

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

The Elliptic Curve in https

CPSC 467b: Cryptography and Computer Security

Ti Secured communications

Asymmetric Encryption

CPSC 467: Cryptography and Computer Security

Discrete Logarithm Problem

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Information Security

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Katherine Stange. ECC 2007, Dublin, Ireland

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Public Key Algorithms

Crypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.

Cryptography IV: Asymmetric Ciphers

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

Elliptic Curve Cryptography

Introduction to Cryptography. Lecture 6

Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs

Number Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers

Cryptography and Security Final Exam

Lecture 6: Cryptanalysis of public-key algorithms.,

14 Diffie-Hellman Key Agreement

Lecture 14: Hardness Assumptions

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Introduction to Modern Cryptography. Benny Chor

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Discrete logarithm and related schemes

Innovation and Cryptoventures. Cryptography 101. Campbell R. Harvey. Duke University, NBER and Investment Strategy Advisor, Man Group, plc

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Digital Signatures. Adam O Neill based on

Lecture 7: ElGamal and Discrete Logarithms

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Number theory (Chapter 4)

Elliptic Curves and an Application in Cryptography

Public-Key Encryption: ElGamal, RSA, Rabin

CS 355: Topics in Cryptography Spring Problem Set 5.

Elliptic Curve Cryptography with Derive

Other Public-Key Cryptosystems

My brief introduction to cryptography

APPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW

arxiv: v3 [cs.cr] 15 Jun 2017

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

SM9 identity-based cryptographic algorithms Part 1: General

Winter 2011 Josh Benaloh Brian LaMacchia

Discrete Mathematics GCD, LCM, RSA Algorithm

CSC 5930/9010 Modern Cryptography: Number Theory

Introduction to Modern Cryptography Recitation 3. Orit Moskovich Tel Aviv University November 16, 2016

Selecting Elliptic Curves for Cryptography Real World Issues

APA: Estep, Samuel (2018) "Elliptic Curves" The Kabod 4( 2 (2018)), Article 1. Retrieved from vol4/iss2/1

An Exploration of the Group Law on an Elliptic Curve. Tanuj Nayak

RSA. Ramki Thurimella

RSA-256bit 數位電路實驗 TA: 吳柏辰. Author: Trumen

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Addition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?

2 3 DIGITAL SIGNATURE STANDARD (DSS) [PROPOSED BY NIST, 1991] Pick an x 2 Z p,1 as the private key Compute y = g x (mod p) asthe public key To sign a

Constructing Abelian Varieties for Pairing-Based Cryptography

1 Number Theory Basics

Lecture V : Public Key Cryptography

Notes 10: Public-key cryptography

Definition of a finite group

Lecture 5: Arithmetic Modulo m, Primes and Greatest Common Divisors Lecturer: Lale Özkahya

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

Elliptic Curve Crytography: A Computational Science Model

Public-Key Cryptosystems CHAPTER 4

Mathematical Foundations of Public-Key Cryptography

Final Report. Cryptography and Number Theory Boot Camp NSF-REU. Summer 2017

Notes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I

Transcription:

Introduction to Elliptic Curve Cryptography Anupam Datta 18-733

Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups / Number Theory Basis Additive group based on curves What is the point? Less efficient attacks exist so we can use smaller keys than discrete log / RSA based cryptography

Computing Dlog in (Z p ) * (n-bit prime p) Best known algorithm (GNFS): run time exp( ) cipher key size modulus size 80 bits 1024 bits 128 bits 3072 bits 256 bits (AES) 15360 bits Elliptic Curve group size 160 bits 256 bits 512 bits As a result: slow transition away from (mod p) to elliptic curves

Discrete Logs Let p = 2q + 1 where p, q are large primes Z p is the group of integers modulo p Z p = 2q G q = QR Z p is the quadratic residue subgroup of Z p QR Z p = q, subgroup of prime order Every element g G q is a generator, pick a random one Pick secret x, compute g x mod p Public: p, q, g, g x Secret: x Discrete Log Assumption: Given Public it is hard to find Secret

Outline Elliptic curves over reals Elliptic curves over Z p ECDH and ECDSA

Elliptic Curves Consider the following equation: y 2 = x 3 + ax + b Idea: we pick (a, b) and form a group which is a set containing all of the points that satisfy the equation This group will be defined with a very special addition operation which introduces an additional imaginary point

Example

Not all curves are valid elliptic curves Left: y 2 = x 3 has a cusp Right: y 2 = x 3 3x + 2 has a self intersection In general we require: 4a 3 + 27b 2 0 Observation: curves are symmetric about the point y = 0

Elliptic Curves as a Group Groups are sets defined over some operation with some structure / properties G = x, y : y 2 = x 3 + ax + b Define an operation denoted by + such that: If p 1, p 2 G, p 1 + p 2 G (Closure) p 1 + p 2 + p 3 = p 1 + (p 2 + p 3 ) (Associative) 0 s. t. p p + 0 = 0 + p = p (Identity) p p 1 s. t. p + p 1 = 0 (Inverse) Curves will form an abelian group p 1 + p 2 = p 2 + p 1 (Communitive)

The Group Operation Not typical point-wise addition! What is this 0 element? y 2 = x 3 + ax + b does not include (0, 0) if b 0 How do we know inverses exist if we don t know what the 0 element is? How do we maintain closure? x, y + x, y = 2x, 2y for typical pointwise addition which in general does not lie on the curve

The Group Operation Let P, Q, R G, such that a line passes through all of them, then group operation is: P + Q + R = 0 This is strange, we have a relationship between points that lie along but no clear notion of traditional addition We can use the relationship to define a more traditional form of addition: P + Q = R

The Group Operation P + Q = R R = x r, y r, R = x r, y r What happens if we want to compute R + R? What third point on the curve lies on the line defined by (R, R)? We say this is the point defined at infinity, we denote it by 0, and it is the additive identity R + R = 0 Adjust our definition of the group: G = x, y : y 2 = x 3 + ax + b {0}

The Group Operation (Geometric) Given G = x, y : y 2 = x 3 + ax + b {0}, calculate P + Q Geometrically, figure out the third point R such that a line goes through P, Q, R and then set P + Q = R What could possibly go wrong? P or Q could be 0 0 Is the identity under the group operation, so P + 0 = 0 + P = P P = -Q This is the case of R + R = 0 which was defined by the vertical line P = Q Imagine tangent to P, use that to find R. P + P = R describes the line tangent to P that intersects at R There is no 3 rd point This occurs when the line is tangent to exactly one of P or Q. Suppose the line is tangent to P, then from before we have P + P = Q which gives us P + Q = P If line is tangent to Q, then Q + Q = P which would give us P + Q = Q

Algebraic Solution Let P Q, line defined by P, Q has slope m = y P y Q x P x Q Intersection with point R = x R, y R : x R = m 2 x P x Q y R = y P + m x R x P = y Q + m x R x Q How would we check that this is correct? Check if x R, y R G, if it is then correct with high probability

Multiplication We have defined addition, so now we can define multiplication n P = P + P + + P n times Inefficient for multiplying by large numbers Use doubling algorithm, analogue of repeated squaring algorithm for exponentiation Calculate 19 (6 Additions): A = 1+1 = 2 B = A + A = 2 + 2 = 4 C = B + B = 4 + 4 = 8 D = C + C = 16 19 = D + A + 1

Back to Discrete Logs In the discrete log setting, exponentiation was easy, but logs were hard g x Easy, log g g x Hard In the elliptic curve setting, multiplication is easy but division is hard We still call division logarithm even though its really division here We used the asymmetry of these operations in the discrete log setting to do key exchange / encryption, can do a similar thing with elliptic curves

Fields A field is a set F with two operations (+, ) that has the following properties: F is an abelian group under + The non-zero elements of F are an abelian group under a b + c = ab + ac a, b, c F (Distributive)

Elliptic Curves Over a Field Note: Z n (+, ) is a field when n is prime Refine the definition of the curve group again: G = x, y F P 2 : y 2 = x 3 + ax + b mod p ٿ 4a 3 + 27b 2 0 mod p {0} Curves are now defined only at discrete points and not over the smooth lines that we had before

Elliptic Curves Over a Field y 2 = x 3 7x + 10 mod p where p = 19, 97, 127, 487

Operation for Curves Over a Field Curve y 2 = x 3 x + 3 (mod 127), P = 16, 20, Q = (41, 120)

Operation for Curves Over a Field The addition operation that we defined before works exactly the same on curves defined over a field All of the special cases are handled exactly the same as before Intersection with point R = x R, y R still computed as: x R = m 2 x P x Q mod p y R = y P + m x R x P mod p = y Q + m x R x Q mod p

Order of Elliptic Curve Group # of unique points in the group Could simply try and count them, but there are too many for this to be possible Efficient algorithms for computing this exist

Subgroups of Elliptic Curve Groups In the discrete log setting, we selected a generator g and computed g 0, g 1, mod p This group generated by the generator had an order that divided the order of the parent group by Lagrange s Theorem In Elliptic Curves we can select a point P which is like a generator and compute 0P, P, 2P, 3P, mod p, we call this a Base Point This operation will also generate a cyclic subgroup of the Elliptic curve group whose order divides the order of the parent group

Subgroups of Elliptic Curve Groups Suppose we pick a point, P, how can we find the order of the subgroup generated by P? Let N be the order of the parent group Let N = p 1 k 1 p 2 k 2 be the prime factorization of N Let n be the order of the subgroup Idea: take all divisors of N, given by the prime factorization, and sort them smallest to largest, call them n. The order of the subgroup is the smallest n such that np = 0.

Finding Base Point With High Order We will want to find a base point that generates a subgroup with prime order that is as high as possible Let h = N n we will call h the cofactor of the subgroup Let n be the largest prime factor in the prime factorization of N NP = 0 because N is an integer multiple of any point P n hp = 0 by re-writing N = nh This tells us that the point hp = G has order n unless G = 0 G is a generator of a cyclic subgroup of prime order n

ECDH Elliptic Curve Diffie-Hellman Regular Diffie-Hellman: Alice has secret a and computes g a Bob has secret b and computes g b They exchange and compute g ab Key insight: it is hard for an adversary to compute g ab from g a, g b ECDH Setting, Public Parameters: p, a, b, G, n, h p = large prime (a, b) = coefficients in y 2 = x 3 + ax + b G = base point that generates subgroup of large prime order n = order of the subgroup h = cofactor of the subgroup

ECDH Elliptic Curve Diffie-Hellman Alice: d A R Z n, H A = d A G Bob: d B R Z n, H B = d B G Alice -> Bob: H A Bob -> Alice: H B Alice: d A H B = d A d B G Bob: d B H A = d B d A G Say S = d A d B G is the shared secret, can use it to derive a symmetric key

ECDSA Elliptic Curve Digital Signature Algorithm Public Information: p, a, b, G, n, h Alice s Private Key: d A Alice s Public Key: H A = d A G Alice signs a message m Z n by performing the following: k R Z n P = kg = (x P, y P ) r = x P mod n, if r = 0 start over s = k 1 m + rd A mod n, if s = 0 start over Output signature (s, r)

ECDSA Elliptic Curve Digital Signature Algorithm Bob can verify a message signed by performing the following: Bob gets m, s, r, H A Calculate u 1 = s 1 m mod n, u 2 = s 1 r mod n Calculate P = u 1 G + u 2 H A Valid if and only if r = x P mod n

ECDSA Elliptic Curve Digital Signature Algorithm Check that the algorithm is correct: P = u 1 G + u 2 H A = u 1 G + u 2 d A G = u 1 + u 2 d A G P = s 1 m + s 1 rd A G = s 1 m + rd A G s = k 1 m + rd A k = s 1 m + rd A P = s 1 m + rd A G = kg Thus the signature will verify correctly

Acknowledgments Many slides created by Kyle Soska (TA for 18733 in Spring 2016)

Pairing Based Cryptography Computational Diffie-Hellman Given g, g a, g b compute g ab Decisional Diffie-Hellman Given g, g a, g b, cant tell g ab apart from random element g c for random c Let G 1, G 2, G T be groups of prime order q, then a bilinear pairing denoted e is an operation that maps from G 1 G 2 G T such that a, b F q, P G 1, Q G 2 e ap, bq = e P, Q ab 1 Idea: We can use pairing based cryptography to create a situation where Computational Diffie-Hellman is hard, but Decisional Diffie-Hellman is easy

Pairing Based Cryptography Computational Diffie-Hellman Given g, g a, g b compute g ab Decisional Diffie-Hellman Given g, g a, g b, cant tell g ab apart from random element g c for random c Suppose an adversary has g a, g b, g z, where g z is randomly either g ab or g c for c random. How can he check which one he has? e g a, g b = e g, g ab = e g, g ab Adversary computes e g, g z =? e g a, g b

Pairing Based Signatures (Boneh et al.) x R Z q Private Key: x, Public Key: g x Sign message m by hashing it yielding h = H(m) and signing the hash as σ = h x Verify (σ, m) as e σ, g =? e H m, g x e σ, g = e h x, g = e H m x, g = e H m, g x = e H m, g x

Twists Of Elliptic Curves Suppose you have an elliptic curve E[p] over some field F A twist of E[p] another elliptic curve over a field extension of F A twist of E[p] will be isomorphic to E[p], namely it will have the same order, and there is a 1-1 onto mapping between them

Other Notes Weil Pairing is a well studied paring where the groups G are elliptic curves There are many standardized elliptic curve groups y 2 + xy = x 3 + ax 2 + 1 over F 2 m, m = prime and a = 0 or 1 Koblitz Curves, very fast addition and multiplication x 2 + y 2 = 1 + dx 2 y 2 where d = 0 or 1 Edwards Curves, point addition is the same in all cases, and reasonably fast

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback