Arithmétique et Cryptographie Asymétrique

Similar documents
8 Elliptic Curve Cryptography

CPSC 467b: Cryptography and Computer Security

Public-key Cryptography and elliptic curves

CPSC 467: Cryptography and Computer Security

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Introduction to Elliptic Curve Cryptography

Elliptic Curve Cryptography with Derive

Public-key Cryptography and elliptic curves

Definition of a finite group

Chapter 8 Public-key Cryptography and Digital Signatures

Overview. Background / Context. CSC 580 Cryptography and Computer Security. March 21, 2017

Points of High Order on Elliptic Curves ECDSA

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

Discrete logarithm and related schemes

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Discrete Logarithm Problem

MATH 158 FINAL EXAM 20 DECEMBER 2016

CIS 551 / TCOM 401 Computer and Network Security

Public Key Cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Elliptic Curve Cryptosystems

Elliptic Curve Cryptography

Elliptic Curve Cryptography

One can use elliptic curves to factor integers, although probably not RSA moduli.

Mathematics of Cryptography

Lecture 1: Introduction to Public key cryptography

Public-Key Cryptosystems CHAPTER 4

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography

Introduction to Cybersecurity Cryptography (Part 5)

basics of security/cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Other Public-Key Cryptosystems

On the complexity of computing discrete logarithms in the field F

Public Key Algorithms

An Introduction to Elliptic Curve Cryptography

Ti Secured communications

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

Applied Cryptography and Computer Security CSE 664 Spring 2018

Mathematical Foundations of Public-Key Cryptography

10 Modular Arithmetic and Cryptography

Introduction to Modern Cryptography. Lecture RSA Public Key CryptoSystem 2. One way Trapdoor Functions

Carmen s Core Concepts (Math 135)

Asymmetric Encryption

For your quiz in recitation this week, refer to these exercise generators:

The Elliptic Curve in https

Elliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

CPSC 467b: Cryptography and Computer Security

Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Chapter 10 Elliptic Curves in Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Public Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Week : Public Key Cryptosystem and Digital Signatures

Cryptography IV: Asymmetric Ciphers

Number Theory. Modular Arithmetic

Mechanizing Elliptic Curve Associativity

ICS141: Discrete Mathematics for Computer Science I

CPSC 467b: Cryptography and Computer Security

Information Security

Joseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia

Part VIII. Elliptic curves cryptography and factorization

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Elliptic Curve Crytography: A Computational Science Model

ElGamal type signature schemes for n-dimensional vector spaces

Topics in Cryptography. Lecture 5: Basic Number Theory

Lecture 6: Cryptanalysis of public-key algorithms.,

Elliptic Curve Cryptography

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Other Public-Key Cryptosystems

Ma/CS 6a Class 2: Congruences

Winter 2011 Josh Benaloh Brian LaMacchia

Introduction to Elliptic Curve Cryptography. Anupam Datta

CDH/DDH-Based Encryption. K&L Sections , 11.4.

10 Public Key Cryptography : RSA

6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

ASYMMETRIC ENCRYPTION

1 The Fundamental Theorem of Arithmetic. A positive integer N has a unique prime power decomposition. Primality Testing. and. Integer Factorisation

Security II: Cryptography exercises

Public Key Cryptography

Number Theory & Modern Cryptography

Elliptic Curve Cryptology. Francis Rocco

Elliptic Curve Cryptography

Basic Algorithms in Number Theory

Discrete Mathematics GCD, LCM, RSA Algorithm

Mapping an Arbitrary Message to an Elliptic Curve when Defined over GF (2 n )

Efficient Key Agreement and Signature Schemes Using Compact Representations in GF (p 10 )

A gentle introduction to elliptic curve cryptography

The Application of the Mordell-Weil Group to Cryptographic Systems

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Transcription:

Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010

This talk is about public-key cryptography Why did mathematicians end up using complex objects like elliptic curves over finite fields? There must be easier ways to encrypt a message... No? 1/28

Public-Key Cryptography (PKC) Anyone can encrypt a message with a public key but only the receiver can decrypt it with its private key 2/28

Comunications using PKC 1. Bob sends Alice his public key / Alice gets Bob s public key from a database 2. Alice encrypts her message using Bob s public key and sends it to Bob 3. Bob then decrypts Alice s message using his private key PKC solves the key management problem In the real world, PKC is used to encrypt (symmetric) keys and for digital signature 3/28

One-way functions Easy to compute, but significantly harder to reverse Easy: can be expressed with simple formula, e.g. polynomials Hard: It would take millions of years to compute x from f(x), even if all the computers in the world were assigned to the problem. (B. Schneier) As of today, reversing f should be at least 2 80 times harder than computing f 4/28

Trapdoor one-way functions One-way functions (if they exist) look like the perfect encryption machinery... if one does not care about decryption! For PKC, one uses Trapdoor one-way functions: one-way functions that become easy to reverse if one knows a secret information Famous examples: Integer factorization: RSA Discrete logarithms in finite groups: ElGamal, DH, DSA, ECDSA, etc. 5/28

Finite groups A set of elements G together with a binary operation called the group operation or group law 1. For all a, b in G, then a b is also in G 2. There exists an identity element e such that a e = e a = a 3. For all a G, there exists a 1 G such that a a 1 = e 4. a (b c) = (a b) c If G has a finite number of elements, then the group is finite. 6/28

Examples of Finite Groups The additive group of integers modulo p Z p or Z/pZ = {0, 1, 2,..., p 1} DLP: given a 0, b ka (mod p), find k Trivial: a F p k ba 1 (mod p) The multiplicative group of a finite field If p is prime, then F p = {1, 2,..., p 1} DLP: given a, b a k (mod p), find k Much more difficult! Good candidate for crypto. 7/28

ElGamal Cryptosystem in F p Let p be a large prime and a a generator for F p Key generation choose a random k and compute b = a k mod p Publish (p, a, b) and keep k secret Encryption for a secret random integer 0 r < p 1 E(x, r) = (y 1, y 2 ) where y 1 = a r mod p y 2 = xb r mod p Decryption D(y 1, y 2 ) = y 2 (y k 1 ) 1 mod p 8/28

Index Calculus Methods for DLP Let p be a prime and g a generator for the cyclic group F p. Every h 0 (mod p) can be written in the form h g k for some integer 0 k < p 1. Let k = l(h) denote the discrete logarithm of h g l(h) h (mod p) Suppose we have h 1 and h 2. Then g l(h 1h 2 ) h 1 h 2 g l(h 1)+l(h 2 ) (mod p) which implies l(h 1 h 2 ) l(h 1 ) + l(h 2 ) (mod p 1) The index calculus is a method for computing values of l. The idea is to compute l(π i ) for several small primes π i, then use this information to compute l(h) for arbitrary h. 9/28

Example (Index Calculus) Let p = 1217 and g = 3. We want to solve 3 k 37 (mod 1217). We choose a set of small primes, called a factor base B = {2, 3, 5, 7, 11, 13} Find relations 3 x ± product of some primes in B (mod 1217) 3 1 3 3 25 5 3 3 54 5 11 3 24 2 2 7 13 3 30 2 5 2 3 87 13 Linear algebra compute l(π i ), for all π i B 1 0 0 0 0 0 0 l( 1) 608 0 0 1 0 0 0 0 l(2) 1 1 2 0 0 1 0 1 l(3) 24 0 0 0 3 0 0 0 l(5) 25 1 1 0 2 0 0 0 l(7) 30 1 0 0 1 0 1 0 l(11) 54 0 0 0 0 0 0 1 l(13) 87 (mod 1216) 10/28

Example (Index Calculus) cont d We now know the discrete logs of all elements of the factor base. Recall that we want to solve 3 k 37 (mod 1217) Finish the work Compute 3 j 37 (mod p) for random values of j until we get an integer that can be factored into a product of primes in B Therefore 3 16 37 2 3 7 11 (mod 1217) l(37) 3l(2) + l(7) + l(11) 16 588 (mod 1216) 3 588 37 (mod 1217) 11/28

The Index Calculus is subexponential L n (α, c) = O (e (c+o(1))(ln n)α (ln ln n) 1 α) 12/28

So, how large should p be? 125 100 75 50 25 0 500 1,000 1,500 n 2,000 2,500 3,000 13/28

Computing with big integers Integer multiplication Karatsuba, Toom-Cook, Schönhage-Strassen (FFT) Modular multiplication a, b, p ab mod p Montgomery, Barrett Fast exponentiation a, r, p a r mod p square-multiply, high-radix/window methods, double-base Inversion a, p a 1 mod p extended gcd, Fermat GMP, NTL, Pari/GP, Sage, Magma, LinBox, etc. 14/28

So why do we need something else? So far, we need very large keys because discrete logarithms in F p can be computed in subexponential time. Is it possible to use smaller keys without compromising security? Smaller keys = faster arithmetic, less memory, less bandwidth Are there any finite groups for which index calculus methods do not work? 15/28

Here Comes Elliptic Curves An elliptic curve is a geometrical object: a nonsingular curve given by an equation y 2 = f(x), with deg f = 3, 4 an algebraic object: the set has a natural geometric law, which also respects field of definition (i.e. works over finite fields) 16/28

Adding points on an elliptic curve P Q R 2R 17/28

Point negation and the point at infinity P 2R Q R 2R Q R 18/28

Algebraic description of the addition operation Let P 1 = (x 1, y 1 ) and P 2 = (x 2, y 2 ) be two points on the curve, i.e. which satisfy the equation E : y 2 = x 3 + ax + b Then where and P + Q = (x 3, y 3 ) x 3 = λ 2 x 1 x 2, y 3 = λ(x 1 x 3 ) y 1 y 2 y 1 if P 1 ±P 2 x 2 x 1 λ = 3x 2 1 + a if P 1 = P 2 2y 1 19/28

Elliptic Curves are Abelian Groups Let K be a field. The set E(K) = {(x, y) K 2 ; y 2 = x 3 + ax + b} {P } together with the addition operation form an abelian group What can we choose for K? 20/28

Why elliptic curves over finite fields? What about Q? Bad idea: points are either of infinite order or have order less than 12 over the rationals Good candidates: elliptic curves over F q. Special cases of interest are when q is a prime or q = 2 m 21/28

Solving ECDLP Let E be an elliptic curve over K. Let N be the order of E ECDLP: given P, Q E, solve kp = Q. (We assume that P generates E) Shanks baby-step giant-step algorithm Fix m N Store a list of ip for 0 i < m (BS) Compute Q jmp for j = 0, 1,..., m 1 until one finds an element from the precomputed list (GS) ip = Q jmp, then Q = kp with k i + jm (mod N) Shanks BSGS complexity: Õ( N) 22/28

Hasse Theorem Let E be an elliptic curve over F q. Then the order of E(F q ) satisfies q + 1 #E(F q ) 2 q 23/28

So, how large should q be? 125 100 75 50 25 0 500 1,000 1,500 n 2,000 2,500 3,000 24/28

Are all curves good for crypto? The group order must contain a large prime factor #E(F q ) = h p, with p > 2 160 Shoof s algorithm can be used to count the number of points on elliptic curves over F q in polynomial time 25/28

26/28

ECC In the real world Elliptic curve cryptography is now used in many standards (IEEE, NIST, etc.) Elliptic curve cryptography is used by the NSA The ANSSI (French NSA Information Assurance Dept.) also recommends elliptic curve cryptography (ECDSA) Used in Blackberry, Windows Media Player, standards for biometric data on passport, etc. 27/28

Merci! http://www.lirmm.fr/ imbert Laurent.Imbert@lirmm.fr

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback