elliptic curve cryptography invention and impact the
play

Elliptic Curve Cryptography: Invention and Impact: The invasion of - PowerPoint PPT Presentation

Sep 01, 2022 •375 likes •1.08k views

Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S. Miller IDA Center for Communications Research Princeton, NJ 08540 USA 24 May, 2007 Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May,

  1. Elliptic Curve Cryptography: Invention and Impact: The invasion of the Number Theorists Victor S. Miller IDA Center for Communications Research Princeton, NJ 08540 USA 24 May, 2007 Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 1 / 69

  2. Elliptic Curves Serge Lang It is possible to write endlessly about Elliptic Curves – this is not a threat! Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 2 / 69

  3. Elliptic Curves A field that should be better known Studied intensively by number theorists for past 100 years. Until recently fairly arcane. Before 1985 – virtually unheard of in crypto and theoretical computer science community. In mathematical community: Mathematical Reviews has about 200 papers with “elliptic curve” in the title before 1984, but in all now has about 2000. A google search yield 66 pages of hits for the phrase “elliptic curve cryptography”. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 3 / 69

  4. Elliptic Curves Elliptic Curves Set of solutions (points) to an equation E : y 2 = x 3 + ax + b . More generally any cubic curve – above is “Weierstrass Form”. The set has a natural geometric group law, which also respects field of definition – works over finite fields. Weierstrass p function: p ′ 2 = 4 p 3 − g 2 p − g 3 . Only doubly-periodic complex function. The hardest thing about the p function is making the Weierstrass p – Lipman Bers. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 4 / 69

  5. Elliptic Curves Chord and Tangent Process Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 5 / 69

  6. Elliptic Curves Karl Weierstrass Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 6 / 69

  7. Elliptic Curves Abelian Varieties Multi-dimensional generalization of elliptic curves. Dimension g has 2 g periods. Also has group law, which respects field of definition. First studied by Abel (group is also abelian – a happy conincidence!). Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 7 / 69

  8. Elliptic Curves Niels Henrik Abel Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 8 / 69

  9. Elliptic Curves Lipman Bers Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 9 / 69

  10. Elliptic Curves Elliptic Curves over Rational Numbers Set of solutions always forms a finitely generated group – Mordell-Weil Theorem. There is a procedure to find generators – very often quite efficient (but not even known to terminate in many cases!). Size function – “Weil height” – roughly measures number of bits in a point. Tate height – smoothing of height. Points form a lattice. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 10 / 69

  11. Elliptic Curves Louis Mordell, Andr´ e Weil Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 11 / 69

  12. Elliptic Curves Torsion – points of finite order Mazur – no point has order more than 12 over the rationals. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 12 / 69

  13. Elliptic Curves Barry Mazur Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 13 / 69

  14. Elliptic Curves John Tate Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 14 / 69

  15. Elliptic Curves Elliptic Curves and Computation Long history. Birch and Swinnerton-Dyer formulated their important conjecture only after extensive computer calculations. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 15 / 69

  16. Elliptic Curves Bryan Birch and Peter Swinnerton-Dyer Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 16 / 69

  17. Elliptic Curves Bryan Birch and Peter Swinnerton-Dyer Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 17 / 69

  18. Discrete Logarithms Public Key In 1976 Diffie and Hellman proposed the first public key protocol. Let p be a large prime. Non zero elements of GF( p ) form cyclic group, g ∈ GF( p ) a “primitive root” – a generator. Security dependent upon difficulty of solving: DHP: Given p, g, g a and g b , find g ab (note a and b are not known. Speculated: only good way to solve DHP is to solve: DLP: Given p, g, g a , find a. Soon generalized to work over any finite field – especially GF(2 n ). Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 18 / 69

  19. Discrete Logarithms Marty Hellman and Whit Diffie Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 19 / 69

  20. Discrete Logarithms Whit Diffie and Marty Hellman Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 20 / 69

  21. Discrete Logarithms Attacks on DLP Pohlig-Hellman – only need to solve problem in a cyclic group of prime order – security depends on largest prime divisor q of p − 1 (or of 2 n − 1 for GF(2 n )). Shanks “baby step giant step” in time O ( √ q ). They speculated that this was the best one could do. A. E. Western, J. C. P. Miller in 1965, Len Adleman in 1978 – heuristic algorithm in time � O (exp( 2 log p log log p )) . Hellman and Reynieri – similar for GF(2 n ) with 2 n replacing p in above. Fuji-Hara, Blake, Mullin, Vanstone – a significant speed up of Hellman and Reynieri. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 21 / 69

  22. Discrete Logarithms Dan Shanks Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 22 / 69

  23. Discrete Logarithms Len Adleman Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 23 / 69

  24. Discrete Logarithms My initiation into serious cryptography Friend and colleague of Don Coppersmith since graduate school. In 1983 Fuji-Hara gave talk at IBM, T. J. Watson Research Center “How to rob a bank”, on work with Blake, Mullin and Vanstone. The Federal Reserve Bank of California wanted to use DL over GF(2 127 ) to secure sensitive transactions. Hewlett-Packard starting manufacturing chips to do the protocol. Fuji-Hara’s talk piqued Don’s interest. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 24 / 69

  25. Discrete Logarithms Don Coppersmith Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 25 / 69

  26. Discrete Logarithms Ryoh Fuji-Hari, Ian Blake, Ron Mullin, Scott Vanstone Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 26 / 69

  27. Discrete Logarithms Factoring, Factor Bases and Discrete Logarithms Subexponential time factoring of integers. CFRAC: Morrison and Brillhart. Brillhart coined the term “Factor Base” Rich Schroeppel – Linear Sieve Carl Pomerance: coined the term “smooth”, the “quadratic sieve” and the notation L x [ a ; b ] := exp( b (log x ) a (log log x ) 1 − a ) . From analyzing probability that a random integer factors into small primes (“smooth”). Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 27 / 69

  28. Discrete Logarithms John Brillhart Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 28 / 69

  29. Discrete Logarithms Rich Schroeppel Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 29 / 69

  30. Discrete Logarithms Carl Pomerance Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 30 / 69

  31. Discrete Logarithms Coppersmith’s attack on DL over GF(2 127 ) After Fuji-Hara’s talk, Don started thinking seriously about the DL problem. We would talk a few times a week about it – this taught me a lot about the intricacies of the “index calculus” (coined by Odlyzko to describe the family of algorithms). The BFMV algorithm was still L [1 / 2] (with a better constant in the exponential). Don devised an L [1 / 3] algorithm for GF(2 n ). Successfully attacked GF(2 127 ) in seconds. Ten years later Dan Gordon devised an L [1 / 3] algorithm for GF( p ). Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 31 / 69

  32. Discrete Logarithms Dan Gordon Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 32 / 69

  33. Discrete Logarithms Were Hellman and Pohlig right about discrete logarithms? Yes, and no. For original problem – no. Needed to use specific property (“smoothness”) to make good attacks work. Nechaev (generalized by Shoup) showed that O ( √ q ) was the best that you could do for “black box groups”. What about DHP? Maurer, and later Boneh and Lipton gave strong evidence that it was no harder than DL (used elliptic curves!). Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 33 / 69

  34. Discrete Logarithms Victor Shoup Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 34 / 69

  35. Discrete Logarithms Ueli Maurer, Dan Boneh, Dick Lipton Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 35 / 69

  36. Enter Elliptic Curves A New Idea While I visted Andrew Odlyzko and Jeff Lagarias at Bell Labs in August 1983, they showed me a preprint of a paper by Ren´ e Schoof giving a polynomial time algorithm for counting points on an elliptic curve over GF( p ). Shortly thereafter I saw a paper by Hendrik Lenstra (Schoof’s advisor) which used elliptic curves to factor integers in time L [1 / 2]. This, combined with Don’s attack on DL over GF(2 n ) got me to thinking of using elliptic curves for DL. Victor S. Miller (CCR) Elliptic Curve Cryptography 24 May, 2007 36 / 69

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Tanja Lange

318 views • 29 slides
Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve

Hyper-and-elliptic-curve cryptography (which is not the same as: hyperelliptic-curve cryptography and elliptic-curve cryptography) Daniel J. Bernstein Through our inefficient use of University of Illinois at Chicago & energy (gas

1.07k views • 76 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The

Twenty-Three Years of Elliptic Curve Cryptography Alfred Menezes University of Waterloo September 3 2008 1 Further Reading A. H. Koblitz, N. Koblitz, A. Menezes, Elliptic curve cryptography: The serpentine course of a paradigm

300 views • 18 slides
Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren Katholieke Universiteit Leuven 22 April 2008 Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction

491 views • 32 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018

Elliptic Curve Cryptography Meghana Doddapaneni University of Maryland 5 December 2018 Introduction y 2 = x 3 + ax + b en.wikipedia.org/wiki/Elliptic curve Elliptic Curve Addition P = ( x p .y p ), Q = ( x q , y q ), R = ( x r .y r ) =

187 views • 16 slides
Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm Problem

Counting points on elliptic curves over F q Christiane Peters DIAMANT-Summer School on Elliptic and Hyperelliptic Curve Cryptography September 17, 2008 Motivation Given an elliptic curve E over a finite field F q . Is the Discrete Logarithm

587 views • 30 slides
A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March

A Brief Introduction to Elliptic Curve Cryptography A Brief Introduction to Elliptic Curve Cryptography Or: A headache in 15 minutes Don Owen March 21 st , 2016 1/13 A Brief Introduction to Elliptic Curve Cryptography Elliptic Curve 2/13 A

385 views • 13 slides
Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic

Next-generation elliptic-curve cryptography (ECC) Daniel J. Bernstein Cryptographic Implementations group: eindhoven.cr.yp.to working closely with the Coding Theory and Cryptology group: www.win.tue.nl/cc/ Next-generation elliptic-curve

456 views • 18 slides
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil

Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Math ematiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography and Security of Embedded Devices 1

1.72k views • 143 slides
Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview Bitcoin Transactions Elliptic Curve Cryptography Introduction Arithmetics Signature Bitcoin, the protocol A blockchain Each

992 views • 52 slides
Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May

Introduction to Elliptic Curve Cryptography Rana Barua Indian Statistical Institute Kolkata May 19, 2017 university-logo-isi Rana Barua Introduction to Elliptic Curve Cryptography ElGamal Public Key Cryptosystem, 1984 Key Generation: Choose

417 views • 16 slides
elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

1.38k views • 48 slides
Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13,

Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13,

Should Elliptic Curve Cryptography Really be Deprecated? Connor Adsit cda8519@rit.edu May 13, 2016 Objectives Suite B Cryptography The controversial NSA statement A brief history of ECC (and the NSAs involvement) Why would

351 views • 17 slides
Dropbox for Education @ UNCSA Old tools impose boundaries In-person Size limits Internal-only

Dropbox for Education @ UNCSA Old tools impose boundaries In-person Size limits Internal-only

Dropbox for Education @ UNCSA Old tools impose boundaries In-person Size limits Internal-only Low adoption To get around these limitations UNCSA personnel have used ad-hoc tools including Dropbox personal and premium accounts Wheres

350 views • 18 slides
The Privacy and CyLab Security Behaviors of Smartphone Engineering & App Developers

The Privacy and CyLab Security Behaviors of Smartphone Engineering & App Developers

The Privacy and CyLab Security Behaviors of Smartphone Engineering & App Developers Public Policy Rebecca Balebako, Abigail Marsh, Jialiu Lin, Jason Hong, Lorrie Faith y & c S a e v c i u r P r i t e y l b L a

646 views • 26 slides
Selection and Execution of User Level Test Cases for Energy Cost Evaluation of Smartphones

Selection and Execution of User Level Test Cases for Energy Cost Evaluation of Smartphones

Selection and Execution of User Level Test Cases for Energy Cost Evaluation of Smartphones Rajesh Palit PhD Candidate Co-authors: R Arya, S Naik, A Singh Department of E&CE Tuesday, May 24, 2011 Motivation Rapid development of

443 views • 19 slides
void fuzz(char* buf, int& len){ void fuzz(char* buf, int& len){ void fuzz(char* buf,

void fuzz(char* buf, int& len){ void fuzz(char* buf, int& len){ void fuzz(char* buf,

void fuzz(char* buf, int& len){ void fuzz(char* buf, int& len){ void fuzz(char* buf, int& len){ void fuzz(char* buf, int& len){ void fuzz(char* buf, int& len){ int q = rand()%20; int q = rand()%20; int q = rand()%20; int

836 views • 61 slides
MobiCloud Power of Clouds in Your Pocket : An Efficient Approach for Cloud Mobile Hybrid

MobiCloud Power of Clouds in Your Pocket : An Efficient Approach for Cloud Mobile Hybrid

MobiCloud Power of Clouds in Your Pocket : An Efficient Approach for Cloud Mobile Hybrid Application Development Ashwin Manjunatha , Ajith H. Ranabahu , Amit Sheth, Krishnaprasad Thirunarayan Kno.e.sis Center Wright State University 1 Agenda

506 views • 26 slides
Opinion Dynamics over Signed Social Networks Guodong Shi Research School of Engineering The

Opinion Dynamics over Signed Social Networks Guodong Shi Research School of Engineering The

Opinion Dynamics over Signed Social Networks Guodong Shi Research School of Engineering The Australian Na@onal University, Canberra, Australia Ins@tute for Systems Research The University of Maryland, College Park May 2, 2016 1 Joint work

535 views • 39 slides
DRM Proxy Architecture draft-zhipeng-pkix-drm-proxy-architecture Zhipeng Zhou (via Barry Leiba)

DRM Proxy Architecture draft-zhipeng-pkix-drm-proxy-architecture Zhipeng Zhou (via Barry Leiba)

DRM Proxy Architecture draft-zhipeng-pkix-drm-proxy-architecture Zhipeng Zhou (via Barry Leiba) Huawei Technologies Why? Digital Rights Management is something service providers have to deal with. Standard mechanisms for managing

273 views • 9 slides
M C I NTIRE I NVESTMENT I NSTITUTE A T THE U NIVERSITY OF V IRGINIA Current Topics in Finance

M C I NTIRE I NVESTMENT I NSTITUTE A T THE U NIVERSITY OF V IRGINIA Current Topics in Finance

M C I NTIRE I NVESTMENT I NSTITUTE A T THE U NIVERSITY OF V IRGINIA Current Topics in Finance & Investing Twitter IPO Blackberry Advanced VAR Emerging Markets Quantitative Easing Prepared by MII Managers| Nov. 14, 2013 McIntire

243 views • 6 slides

More recommend