Elliptic Curve Cryptography

Similar documents
SEMINAR SECURITY - REPORT ELLIPTIC CURVE CRYPTOGRAPHY

Introduction to Elliptic Curve Cryptography

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

CPSC 467b: Cryptography and Computer Security

CPSC 467: Cryptography and Computer Security

Attacks on Elliptic Curve Cryptography Discrete Logarithm Problem (EC-DLP)

Discrete Logarithm Computation in Hyperelliptic Function Fields

Cryptography IV: Asymmetric Ciphers

Non-generic attacks on elliptic curve DLPs

The State of Elliptic Curve Cryptography

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Elliptic Curves and Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Elliptic Curve Cryptography

Public-Key Cryptosystems CHAPTER 4

The Elliptic Curve in https

APPLICATION OF ELLIPTIC CURVES IN CRYPTOGRAPHY-A REVIEW

Arithmétique et Cryptographie Asymétrique

Elliptic Curve Cryptography with Derive

On the complexity of computing discrete logarithms in the field F

Lecture 1: Introduction to Public key cryptography

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Elliptic Curve Cryptosystems

8 Elliptic Curve Cryptography

Discrete Logarithm Problem

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

ABHELSINKI UNIVERSITY OF TECHNOLOGY

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

CPSC 467b: Cryptography and Computer Security

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

Points of High Order on Elliptic Curves ECDSA

Public-key Cryptography and elliptic curves

ElGamal type signature schemes for n-dimensional vector spaces

SM9 identity-based cryptographic algorithms Part 1: General

Polynomial Interpolation in the Elliptic Curve Cryptosystem

An Introduction to Pairings in Cryptography

Discrete logarithm and related schemes

Public Key Cryptography with a Group of Unknown Order

Suppose F is a field and a1,..., a6 F. Definition 1. An elliptic curve E over a field F is a curve given by an equation:

Elliptic Curve Public-Key Cryptosystems An Introduction

MATH 158 FINAL EXAM 20 DECEMBER 2016

Math/Mthe 418/818. Review Questions

The Elliptic Curve Digital Signature Algorithm (ECDSA) 1 2. Alfred Menezes. August 23, Updated: February 24, 2000

One can use elliptic curves to factor integers, although probably not RSA moduli.

Finite Fields and Elliptic Curves in Cryptography

Elliptic Curve Cryptography and Security of Embedded Devices

Discrete Logarithm Problem

An Introduction to Elliptic Curve Cryptography

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Introduction to Elliptic Curve Cryptography. Anupam Datta

The Application of the Mordell-Weil Group to Cryptographic Systems

Elliptic Curves Cryptography and factorization. Part VIII. Elliptic curves cryptography and factorization. Historical Remarks.

Application of Elliptic Curve Method in Cryptography: A Literature Review

ECE297:11 Lecture 12

Outline. Available public-key technologies. Diffie-Hellman protocol Digital Signature. Elliptic curves and the discrete logarithm problem

Hardware Implementation of Elliptic Curve Point Multiplication over GF (2 m ) for ECC protocols

Introduction to Modern Cryptography. Benny Chor

Katherine Stange. ECC 2007, Dublin, Ireland

Definition of a finite group

Public-key Cryptography and elliptic curves

Lecture Notes, Week 6

Elliptic Curve Crytography: A Computational Science Model

Elliptic Curve Cryptography

10 Public Key Cryptography : RSA

Foundations. P =! NP oneway function signature schemes Trapdoor oneway function PKC, IBS IBE

Constructing Pairing-Friendly Elliptic Curves for Cryptography

CRYPTOGRAPHY AND NUMBER THEORY

Generation Methods of Elliptic Curves

Elliptic Curve Discrete Logarithm Problem

ECE 646 Lecture 9. RSA: Genesis, operation & security

arxiv: v3 [cs.cr] 15 Jun 2017

Other Public-Key Cryptosystems

Information Security

Asymmetric Encryption

Constructing Abelian Varieties for Pairing-Based Cryptography

Elliptic Curves and Cryptography

Elliptic Curve Cryptology. Francis Rocco

Digital Signatures. Saravanan Vijayakumaran Department of Electrical Engineering Indian Institute of Technology Bombay

Chapter 4 Asymmetric Cryptography

TheSecurityofEllipticCurveCryptosystemsA Survey

Asymmetric Cryptography

Introduction to Cryptography. Lecture 8

CSC 774 Advanced Network Security

CSC 774 Advanced Network Security

Public Key Cryptography

Week : Public Key Cryptosystem and Digital Signatures

Chapter 8 Public-key Cryptography and Digital Signatures

Fast Multiple Point Multiplication on Elliptic Curves over Prime and Binary Fields using the Double-Base Number System

Performance of Finite Field Arithmetic in an Elliptic Curve Cryptosystem

CHAPMAN & HALL/CRC CRYPTOGRAPHY AND NETWORK SECURITY ALGORITHMIC CR YPTAN ALY51S. Ant nine J aux

KEY EXCHANGE IN ELLIPTIC CURVE CRYPTOGRAPHY BASED ON THE DECOMPOSITION PROBLEM

Lecture 6: Cryptanalysis of public-key algorithms.,

No.6 Selection of Secure HC of g = divisors D 1, D 2 defined on J(C; F q n) over F q n, to determine the integer m such that D 2 = md 1 (if such

Minal Wankhede Barsagade, Dr. Suchitra Meshram

Notes for Lecture 17

Faster F p -arithmetic for Cryptographic Pairings on Barreto-Naehrig Curves

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Hyperelliptic-curve cryptography. D. J. Bernstein University of Illinois at Chicago

Transcription:

The State of the Art of Elliptic Curve Cryptography Ernst Kani Department of Mathematics and Statistics Queen s University Kingston, Ontario

Elliptic Curve Cryptography 1 Outline 1. ECC: Advantages and Disadvantages 2. Discrete Logarithm (DL) Cyptosystems 3. Elliptic Curves (EC) 4. A Small Example 5. Attacks and their consquences 6. ECC System Setup 7. Elliptic Curves: Construction Methods

2 ECC: Advantages/Disadvantages Advantages: greater flexibility in choosing cryptographic system no known subexponential time algorithm for ECDLP smaller key sizes (with the same security). Current recommendation (according to A.K. Lenstra, E.R. Verheul): the minimum key size for ECC should be 132 bits vs. 952 bits for RSA. As a result: greater speed, less storage ECC can be used in smart cards, cellular phones, pagers etc. Disadvantages: Hyperelliptic cryptosystems offer even smaller key sizes. ECC is mathematically more subtle than RSA or SDL difficult to explain/justify to the client. Main uses of ECC: key exchange, digital signature, authentication, (limited) message transmission, etc.

DL - Cryptosystems Basic Problem: Let G be an abstract (multiplicative) group (= a set with a multiplication operation ). Find a computer realization of G such that: 1) The operation exponentiation a b := a n can be implemented as a quick, efficient algorithm; 2) The inverse operation ( discrete logarithm ), i.e., (DLP) Given a and b G, find n ( = log a (b) ) such that b = a n = a } a {{ a}, n times is technically much harder and hence cannot be carried out in a reasonable amount of time. Classical Examples: 1) Let G = F p = {1,... p 1}, where p is a prime, with multiplication a b = rem(ab, p). 2) (SDL) Take G = {1, g, g 2,... g q 1 } F p, a cyclic subgroup of order q. 3) More generally, let G F p, where F p is any finite field; here p is a power of a prime. 3

A Sample Protocol: The Diffie-Hellman Key Exchange (1976): Public information: An element g F p order q. 4 of large User A (Alice) picks a random integer a, sends B the number (public key) P A = g a. User B (Bob) picks a random integer b, sends A the number (public key) P B = g b. Then: A and B can both compute and use the common (secret) key S AB = (P A ) b = (P B ) a = g ab. The Diffie-Hellman Problem (DHP): compute the secret key S AB from the data g, P A, P B. The Diffie-Hellman Assumption: a spy (Eve) cannot solve (DHP) in a reasonable amount of time. Remarks: 1) (DLP) (DHP). 2) There is strong evidence (Lenstra/Verheul) that the (DHP) is equivalent to the (DLP). In fact: this is true for many orders q (Maurer/Wolf/Boneh, 1996).

Elliptic Curves Elliptic curves: Let a, b F p and consider G = E a,b (F p ) := {(x, y) F p F p : y 2 = x 3 + ax + b} {P } The group law: The multiplication in G is given by where x 3 = λ 2 x 1 x 2 y 3 = λ(x 1 x 3 ) y 1 (x 1, y 1 ) (x 2, y 2 ) = (x 3, y 3 ) } with λ = y 2 y 1 x 2 x 1 (or 5 if x 1 = x 2 λ = 3x2 1 + a 2y 1 ). Notes: 1) We usually write the group law additively, i.e. we write P +Q in place of P Q and hence kp in place of P} P {{ P}. 2) The extra point P serves as the identity of the group law: P + P = P + P = P, for all P E(F p ). 3) V. Miller and N. Koblitz (independently) first proposed in 1986 the use of elliptic curves for cryptography. Problem: How can we find an elliptic curve E/F p which is suitable for implementing a DL-cryptosystem? Questions: 1) How can we estimate/calculate #G? 2) How can we find a point of large order in G? Theorem (Hasse, 1933): #E(F p ) p; more precisely, p + 1 #E(F p ) }{{} tr E 2 p. k

A Small Example Consider the following elliptic curve E 2,1 over F 5 : E = E 2,1 : y 2 = x 3 + 2x + 1. Then a quick calculation (exhaustive search) shows that E(F 5 ) = { }{{} P, (0, 1), (1, 3), (3, 3), (3, 2), (1, 2), (0, 4) }. }{{}}{{}}{{}}{{}}{{}}{{} P 0 P 1 P 2 P 3 P 4 P 5 P 6 For example, P 4 = (3, 2) E(F 5 ) because 3 3 + 2 3 + 1 = 34 4 2 2 (mod 5). The above points P i have been numbered in such way that P i + P j = P i+j (indices mod 7). Thus, #E(F 5 ) = 7, which satisfies the Hasse bound since (5 + 1) 7 = 1 2 5. = 4.47. Diffie-Hellman Key Exchange: A chooses the secret key a = 2 and computes her public key P A = 2P 1 = P 1 + P 1 = P 2 = (1, 3). B chooses the secret key b = 3 and computes his public key P B = 3P 1 = P 1 + P 1 + P 1 = P 3 = (3, 3). Thus, their common { secret key is: 2P B = 2P 3 = P 6 (as computed by A) S AB = P 6 = (0, 4) 3P A = 3P 2 = P 6 (as computed by B) 6

Attacks and their Consequences General DL-Attacks: SPH - due to Silver, Pohlig, Hellman (1978): the DLP for a group G of order n can be reduced to solving the DLP for its subgroups of prime order p n. Pollard s ρ and λ (or Kangaroo) - due to Pollard(1978): each solves DLP in O( n) steps. (Parallizable!) Consequence: work with a group G of sufficiently large prime order q = #G. Elliptic Curve Attacks: MOV - due to Menezes, Okamoto, Vanstone (1993); cf. also Frey, Rück (1994): if (1) p r 1 (mod q), then the ECDLP can be reduced to the DLP in F p r we can solve the ECDLP by using the (subexponential) Index Calculus in F p r. Anomalous - due to Samaev (1998); Satoh, Araki (1998), Smart (1999): the ECDLP can be solved (using p-adic numbers) for anomalous curves, i.e. those with #E(F p ) = p ( tr E = 1). Consequence: For ECC, avoid: 1) anomalous curves; 2) primes q which satisfy (1) for small r; i.e. r << k 2 / log 2 k, where k = log 2 p. 7

8 Explicit Attacks: Hardware attack estimate: In 1996, an attack against a 120- bit EC sytem was proposed - using a machine running 75 independent Pollard ρ processors. (Estimated cost: $10 million, running time: 32 days.) Software attack estimate (A.Lenstra, E.Verheul, 1999): On a 109-bit EC system (p 2 109 ), the ECDLP should take 18,000 years on a current PC (or 1 year on 18,000 PC s Power of the Internet ) by using Pollard s ρ method. (PC = 450MHz Pentium II processor). RSA155 (= 512 bit RSA) was factored in August 1999 using the NFS (Number Field Sieve). Run Time: 20 years on 1 PC (64Mb memory) = 1 day on 7500 PC s. Note: RSA155 is still used on the Web (e.g. in the Secure Socket Layer(SSL)), but cannot be considered to be secure. Consequences: A.K.Lenstra, E.R.Verheul (Sep. 1999) propose the following minimum key sizes (in bits): Year RSA SDL EC q p wo (w)* 2000 952 123 952 132 (132) 2005 1149 131 1149 139 (147) 2025 2174 158 2174 169 (202) 2050 4047 193 1447 206 (272) *without (with) cryptoanalytic progress

9 ECC Sytem Setup System Setup: There are several choices to be made: Selecting a finite field F p (and a field representation) e.g. p = prime or p = 2 k. Selecting an elliptic curve E/F p (+ a point P of order q) random curve vs. a special curve etc. (see next page) Selecting the elliptic curve representation affine vs. projective coordinates, etc.) Selecting a protocol (e.g. Diffie-Hellman, ECDSA) for task Note: Some protocols require additional steps; e.g. ElGamal and others require message embedding m P m E(F q ). Selection criteria: Security: of ECDLP, of protocol. Implementation requirements: speed, storage, power consumption optimization of field/ec operations, of protocol. Platform dependence: speed and performance of primitives e.g. on a Pentium PC, the time for multiplication is only a small multiple of that for addition. Standards Compatibility: Public Key Infrastructure, Wassenaar Arrangement (Export). Remark: S. Vanstone (Field Institute Conference, 1999) emphasizes that all these selection criteria must be considered simultaneously.

10 EC Construction Methods Method 1: Random elliptic curves E/F p : first choose a field F p, then a point P = (x, y) F p F p, then choose (by varying the paramater a) an elliptic curve E a,b such that P is a point of suitable order q on E a,b (F p ). Note: in order to find ord(p ), first calculate #E(F p ) using the Schoof-Elkies-Atkin (SEA) algorithm. Method 2: CM elliptic curves E/Q: pick a CM elliptic curve E/Q (and a point P E(Q)), then look for a prime p such that (E, P ) (mod p) has the right cryptographic properties. Advantage: there is a formula for #E(F p ). Example: E : y 2 = x 3 n 2 x is a CM-curve with point P = (Z 2 /4, (Y 2 X 2 )Z/8), provided that (X, Y, Z) are the sides of a right-angled triangle with area n. By Gauss (1777-1855): if p 3 (mod 4), then #E(F p ) = p + 1 (do not use for ECC!) if p 1 (mod 4), then there is an explicit formula. Method 3: Koblitz (subfield) curves: take p = p r 0 (p 0 small), choose E/F p0 and view E over F p. Advantage: there is a simple formula (Artin, 1926) for #E(F p ) in terms of #E(F p0 ) (which can be calculated quickly). Method 4: Arbitrary elliptic curves E/Q (?): similar to method 2 (formula for #E(F p ) via modular forms?)

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback