Elliptic Curve Cryptography An Introduction Dr. F . Vercauteren - - PowerPoint PPT Presentation

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Elliptic Curve Cryptography

An Introduction

• Dr. F

. Vercauteren

Katholieke Universiteit Leuven

22 April 2008

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Cryptography

Cryptography provides the technical means to secure information in electronic form.

◮ Confidentiality: protection of data from unauthorized

disclosure.

◮ Data integrity: assurance that data received are exactly as

sent by an authorized entity.

◮ Authentication: assurance that the communicating entity is

the one that it claims to be.

◮ Non-repudiation: prevents an entity from denying previous

commitments or actions.

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Symmetric Key Cryptography

PLAINTEXT 110100011100 PLAINTEXT 110100011100 CIPHERTEXT ????????????

SYMMETRICKEYCRYPTOSYSTEM

ENCRYPTIONKEY DECRYPTIONKEY

=

ALICE BOB

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Public Key Cryptography

PLAINTEXT 110100011100 PLAINTEXT 110100011100 CIPHERTEXT ???????????? CIPHERTEXT ????????????

PUBLICKEYCRYPTOSYSTEM

ENCRYPTIONKEY DECRYPTIONKEY

ALICE BOB

PUBLICKEY OFBOB PRIVATE KEYOFBOB

PUBLICLIST

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Factoring and Discrete Logarithm Problem

◮ Rivest-Shamir-Adleman (1977): RSA based on factoring.

◮ Main idea: easy to find two large primes p and q, but very

hard to find p and q from n = p · q.

◮ RSA still most popular public key cryptosystem.

◮ ElGamal (1984): discrete logarithm problem (DLP).

◮ Group G is set with operation · and each element has

inverse.

◮ Main idea: very easy to compute h = gx for given x, but

very hard to find x given h and g.

◮ Popular choices: finite fields and elliptic curves.

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Diffie-Hellman Key Agreement

Choose a large prime number p and a generator α mod p Alice Bob xA ∈R [1, p − 1], αxA − αxA − − − − − − − − → xB ∈R [1, p − 1], αxB ← αxB − − − − − − − − − KBA = (αxB)xA KBA = (αxA)xB

◮ Note: all calculations mod p ◮ Security based on Diffie-Hellman problem: given αxA and

αxB compute αxAxB

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Elliptic Curves

Definition

◮ Elliptic curve E over field K is defined by

y2 + a1xy + a3y = x3 + a2x2 + a4x + a6, ai ∈ K

◮ The set of K-rational points E(K) is defined as

E(K) = {(x, y) ∈ K×K | y2+a1xy+a3y = x3+a2x2+a4x+a6}∪{∞}

◮ ∞ is called point at infinity

Theorem

There exists an addition law on E and the set E(K) is a group

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Elliptic Curves over R

−8 −6 −4 −2 2 4 6 8 −6 −4 −2 2 4 6 −6 −4 −2 2 4 6 8 −6 −4 −2 2 4 6

y2 = x3 + 4x2 + 4x + 3 y2 = x3 − 7x + 6

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Addition Law on Elliptic Curves

−6 −4 −2 2 4 6 −4 −2 2 4 P ⊕ Q Q P R L′ L −6 −4 −2 2 4 6 −4 −2 2 4 2P P L′ L R

Adding two points Doubling a point y2 = x3 − 7x + 6

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Addition Law on Elliptic Curves

By definition: three points on a line sum to zero! Let P1 ⊕ P2 = P3, with Pi = (xi, yi) ∈ E

◮ If x1 = x2 and y1 + y2 + a1x2 + a3 = 0, then P1 ⊕ P2 = ∞, ◮ Else

x1 = x2 λ = (y2 − y1)/(x2 − x1) ν = (y1x2 − y2x1)/(x2 − x1) x1 = x2 λ = (3x2

1 + 2a2x1 + a4 − a1y1)/(2y1 + a1x1 + a3)

ν = (−x3

1 + a4x1 + 2a6 − a3y1)/(2y1 + a1x1 + a3)

The point P3 = P1 ⊕ P2 is given by x3 = λ2 + a1λ − a2 − x1 − x2 y3 = −(λ + a1)x3 − ν − a3

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Finite Fields

◮ Practical applications need exact arithmetic, so

◮ not R since not exact ◮ not Q since size of numbers involved grows too fast

◮ Consider elliptic curves over finite fields:

◮ Fp with p prime: represented by Z mod p ◮ F2n with 2n elements: represented by F2[X] mod P(X), i.e.

binary polynomials modulo an irreducible polynomial P(X)

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Elliptic Curves over Finite Fields

The elliptic curve y2 = x3 + x + 3 mod 23

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Number of Points on Elliptic Curve

◮ Theorem: the cardinality #E(Fq) satisfies

#E(Fq) = q + 1 − t with |t| ≤ 2√q.

◮ For gcd(q, t) = 1, all possibilities occur.

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Elliptic Curve DLP

◮ Let G be an abelian group generated by P ∈ G ◮ Let Q = s · P, then the DLP is to compute s given P and Q ◮ Classically: G = F× q ◮ For G = E(Fq), the DLP is called ECDLP

Note: can translate primitives based on DLP to ECDLP setting

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Security of ECDLP: General Attacks

◮ Exhaustive search: impossible if group order > 280 ◮ Pohlig-Hellman: suppose #E(Fq) = ps1 1 · ps2 2 · · · psk k , then

can reduce ECDLP to subgroups of order pi ⇒ #E(Fq) should have large prime divisor p

◮ Pollard rho & lambda: random walk, constant space, time

complexity is O(√p) Conclusion:

◮ #E(Fq) > 2160 and divisible by large prime p ◮ Best general attack is exponential in p ◮ DLP in Fq is sub-exponential: Lq[1/3, b] with

LN[a, b] = O

• e(b+O(1))(ln N)a(ln ln N)1−a
• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Comparison with RSA & DSA: Security

1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 50 100 150 200 250 300 350 400 450 500 Keylength conventional systems RSA and DSA Keylength elliptic curve system

Key lengths in bits for equivalent cryptographic strength ECDSA RSA & DSA

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Overview

◮ Key Agreement Primitives

◮ ECDH: EC Diffie-Hellman Secret Value Derivation ◮ ECMQV: EC Menezes-Qu-Vanstone Secret Value

Derivation

◮ Signature Primitives

◮ ECNR: EC Nyberg-Rueppel Signatures ◮ ECDSA: EC Digital Signature Algorithm

◮ Encryption Primitives

◮ ECIES: EC Integrated Encryption Scheme

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Pairings

◮ Let G1, G2, GT be groups of prime order ℓ. A pairing is a

non-degenerate bilinear map e : G1 × G2 → GT.

◮ Bilinearity:

◮ e(g1 + g2, h) = e(g1, h)e(g2, h), ◮ e(g, h1 + h2) = e(g, h1)e(g, h2).

◮ Non-degenerate:

◮ for all g = 1: ∃x ∈ G2 such that e(g, x) = 1 ◮ for all h = 1: ∃x ∈ G1 such that e(x, h) = 1

◮ Examples:

◮ Scalar product on vectorspace over finite fields

·, · : Fn

q × Fn q → Fq .

◮ Weil- and Tate pairings on elliptic curves and abelian

varieties.

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Pairings in cryptography

◮ Exploit bilinearity: original schemes G1 = G2

◮ MOV: DLP reduction from G1 to GT

DLP in G1 : (g, xg) ⇒ DLP in GT : (e(g, g), e(g, g)x)

◮ Decision DH easy in G1

DDH : (g, ag, bg, cg) test if e(g, cg) = e(ag, bg)

◮ Identity based crypto, short signatures, . . .

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Torsion subgroups

◮ E[ℓ] subgroup of points of order dividing ℓ, i.e.

E[ℓ] = {P ∈ E(Fq) | [ℓ]P = ∞}

◮ Structure of E[ℓ] for gcd(ℓ, q) = 1 is Z/ℓZ × Z/ℓZ. ◮ Let ℓ|#E(Fq), then E(Fq)[ℓ] gives at least one component. ◮ Embedding degree: k minimal with ℓ | (qk − 1). ◮ Note ℓ-roots of unity µℓ ⊆ F× qk. ◮ If k > 1 then E(Fqk)[ℓ] = E[ℓ].

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Functions and divisors

◮ Consider the function f = (x−1)2(x+2) x

• n P1

−4 −3 −2 −1 1 2 3 4 −25 −20 −15 −10 −5 5 10 15 20

◮ Divisor of f: (f) = 2(P1) + (P−2) − (P0) − 2(P∞) ◮ Support of (f): Supp((f)) = {P1, P−2, P0, P∞} ◮ Given divisor (f), function is determined up to constant.

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Miller functions

◮ Let P ∈ E(Fq) and n ∈ N. ◮ A Miller function fn,P is any function in Fq(E) with divisor

(fn,P) = n(P) − ([n]P) − (n − 1)(∞)

◮ fn,P is determined up to a constant c ∈ F× q . ◮ fn,P has a zero at P of order n. ◮ fn,P has a pole at [n]P of order 1. ◮ fn,P has a pole at ∞ of order (n − 1). ◮ For every point Q = P, [n]P, ∞, we have fn,P(Q) ∈ F× q .

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Tate pairing

◮ Let P ∈ E(Fqk)[ℓ] and fℓ,P ∈ Fqk(E) with

(fℓ,P) = ℓ(P) − ℓ(∞)

◮ Note: fℓ,P has zero of order ℓ at P and pole of order ℓ at ∞. ◮ Tate pairing is defined as (assuming normalisation)

P, Qℓ = fℓ,P(Q)

◮ Technical stuff: need to adjust domain and image

·, ·ℓ : E(Fqk)[ℓ] × E(Fqk)/ℓE(Fqk) → F×

qk/(F× qk)ℓ

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Reduced Tate pairing

◮ By definition, value of ·, ·ℓ only defined up to ℓ-th powers.

·, ·ℓ : E(Fqk)[ℓ] × E(Fqk)/ℓE(Fqk) → F×

qk/(F× qk)ℓ ◮ In practice: want unique output of the function! ◮ Reduced Tate pairing e : E(Fqk)[ℓ] × E(Fqk)/ℓE(Fqk) → µℓ

e(P, Q) = P, Qℓ

(qk−1)/ℓ = fℓ,P(Q)(qk−1)/ℓ ◮ Tate pairing is bilinear and non-degenerate.

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Miller’s Algorithm

◮ Use double-add algorithm to compute fn,P for any n ∈ N. ◮ Exploit relation:

fm+n,P = fm,P · fn,P · l[n]P,[m]P v[n+m]P

◮ l[n]P,[m]P: the line through [n]P and [m]P ◮ v[n+m]P: the vertical line through [n + m]P ◮ Evaluate at Q in every step

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

Conclusions

◮ Elliptic curves provide an alternative to RSA & DSA ◮ No sub-exponential time algorithm to solve ECDLP ◮ Smaller key sizes, sometimes faster than DSA & RSA,

more future proof

◮ Typical applications: PDA’s, phones, smart cards, . . . ◮ Examples: Blackberry, Wii, German passports, future EMV ◮ Pairings on elliptic curves: identity based crypto, short

signatures, . . .

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

EC Digital Signature Algorithm (ECDSA)

◮ ECDSA is elliptic curve analog of DSA ◮ Used to provide data origin authentication, data integrity

and non-repudiation

◮ Standards for ECC (including ECDSA & ECIES):

◮ ANSI X9.62, X9.63 ◮ NIST FIPS 186-2 ◮ IEEE 1363-2000 ◮ ISO/IEC 14888-3, 9796-4, 15946 ◮ SECG

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

EC Key Pair Generation

◮ Domain parameters

◮ Elliptic curve E over finite field Fq ◮ Point G ∈ E(Fq), n = ord(G) and cofactor h = #E(Fq)/n

◮ Private and public key

◮ Select random integer d in the interval [1, n − 1] ◮ Compute Q = d · G ◮ Public key is Q, Private key is d

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

ECDSA Signature Generation

To sign a message m do the following:

• 1. Select a random integer k with 1 ≤ k ≤ n − 1
• 2. Compute k · G = (x1, y1) and r ≡ x1 mod n. If r = 0 go to

step 1

• 3. Compute k−1 mod n
• 4. Compute e = HASH(m)
• 5. Compute s ≡ k−1(e + dr) mod n. If s = 0 go to step 1
• 6. The signature for the message m is (r, s)
• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

ECDSA Signature Verification

To verify a signature (r, s) on m do the following:

• 1. Verify that r and s are integers in the interval [1, n − 1]
• 2. Compute e = HASH(m)
• 3. Compute w ≡ s−1 mod n
• 4. Compute u1 ≡ ew mod n and u2 ≡ rw mod n
• 5. Compute u1 · G + u2 · Q = (x1, y1) and v ≡ x1 mod n
• 6. Accept signature if and only if v = r
• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction

Cryptography Elliptic Curves EC Cryptographic Primitives Pairings

ECDSA vs. RSA: Speed (ms)

Elliptic curve over F2233 RIM pager PalmPilot Pentium II Key Generation 1,552 2,573 3.11 ECDSA Signing 1,910 3,080 4.03 ECDSA Verifying 3,701 5,878 7.87 2048-bit modulus RIM pager PalmPilot Pentium II RSA Key Generation — — 26,442 RSA Signing 111,956 288,236 440.69 RSA Verifying (e = 3) 1,087 2,392 4.2 RSA Verifying (e = 216 + 1) 3,608 7,973 13.45 More info: Brown et al.: PGP in Constrained Wireless Devices

• Dr. F. Vercauteren

Elliptic Curve Cryptography An Introduction