Elliptic curves and cryptography Jan Willemson September 2019 - - PowerPoint PPT Presentation

Elliptic curves and cryptography

Jan Willemson

September 2019

Intro: some ancient cryptography

September 2019

2

Diffie-Hellman key exchange

Prime p, g ∈ Z∗

p

a ∈ Z b ∈ Z ga gb (gb)a = (ga)b

September 2019

3

Security of DH key exchange

Computational DH problem (CDH)

Given a group G and g, ga, gb ∈ G, find gab.

Discrete logarithm problem (DL)

Given a group G and g, ga ∈ G, find a. Obviously, simplicity of DL implies simplicity of CDH. Thus, in order for DH key exchange to be secure, DL must be hard.

September 2019

4

How hard is DL?

In discrete groups, approximation algorithms do not work. In generic groups, best known algorithms require about

• |G|

group operations

Baby-step-giant-step Pollard’s ρ

Note that

• |G| is still exponential in the length of group

element representation. In case of specific groups we may be able to do better.

September 2019

5

DL in Z∗

p

In case of Z∗

p, sieving algorithms give (heuristic) time for solving

DL to be Lp

• 1

3,

64

9

1/3

, where Lp[α, c] = ec(ln(p))α(ln(ln(p))1−α .

September 2019

6

DL in Z∗

p

In case of Z∗

p, sieving algorithms give (heuristic) time for solving

DL to be Lp

• 1

3,

64

9

1/3

, where Lp[α, c] = ec(ln(p))α(ln(ln(p))1−α . If α = 0, Lp[α, c] = ln(p)c, polynomial in ln(p). If α = 1, Lp[α, c] = ec ln(p), exponential in ln(p). If α = 1

3, Lp[α, c] is between polynomial and exponential.

September 2019

6

DL in Z∗

p

In case of Z∗

p, sieving algorithms give (heuristic) time for solving

DL to be Lp

• 1

3,

64

9

1/3

, where Lp[α, c] = ec(ln(p))α(ln(ln(p))1−α . If α = 0, Lp[α, c] = ln(p)c, polynomial in ln(p). If α = 1, Lp[α, c] = ec ln(p), exponential in ln(p). If α = 1

3, Lp[α, c] is between polynomial and exponential.

If p ≈ 22048, Lp

• 1

3,

• 64

9

1/3

≈ 2116.9.

Generic group methods would give

• |Z∗

p| ≈ 21024.

September 2019

6

DL in Z∗

p

In case of Z∗

p, sieving algorithms give (heuristic) time for solving

DL to be Lp

• 1

3,

64

9

1/3

, where Lp[α, c] = ec(ln(p))α(ln(ln(p))1−α . If α = 0, Lp[α, c] = ln(p)c, polynomial in ln(p). If α = 1, Lp[α, c] = ec ln(p), exponential in ln(p). If α = 1

3, Lp[α, c] is between polynomial and exponential.

If p ≈ 22048, Lp

• 1

3,

• 64

9

1/3

≈ 2116.9.

Generic group methods would give

• |Z∗

p| ≈ 21024.

Can we find groups that would act more like generic ones?

September 2019

6

Apollonius of Perga and conic sections

September 2019

7

History of elliptic curves

In late 3rd – early 2nd centuries BC, Apollonius of Perga studied conic sections and wrote an 8-part monograph on them. For many centuries, his works contained most of the human knowledge on the subject. However, some of the questions he was not able to answer, e.g. how to determine the exact length of an arc of a conic section? The apparatus to answer this question was developed only about 2000 years later. With a long-long detour, scholars reached the study of equations of the form y2 = p(x) , with p(x) being a cubic polynomial. Set of points defined by such an equation is called elliptic curve.

September 2019

8

History of elliptic curves

In late 3rd – early 2nd centuries BC, Apollonius of Perga studied conic sections and wrote an 8-part monograph on them. For many centuries, his works contained most of the human knowledge on the subject. However, some of the questions he was not able to answer, e.g. how to determine the exact length of an arc of a conic section? The apparatus to answer this question was developed only about 2000 years later. With a long-long detour, scholars reached the study of equations of the form y2 = p(x) , with p(x) being a cubic polynomial. Set of points defined by such an equation is called elliptic curve. NB! Ellipse is not an elliptic curve!

September 2019

8

Congruent number problem

Definition

A positive rational number n is called a congruent number if there is a rational right triangle with area n: there are rational a, b, c > 0 such that a2 + b2 = c2 and 1

2ab = n.

September 2019

9

Congruent number problem

Definition

A positive rational number n is called a congruent number if there is a rational right triangle with area n: there are rational a, b, c > 0 such that a2 + b2 = c2 and 1

2ab = n.

Numbers 5, 6 and 7 are congruent: On the other hand, 1, 2 and 3 are not.

September 2019

9

Finding congruent numbers

All primitive Pythagorean triples are of the form (a, b, c) = (k2 − ℓ2, 2kℓ, k2 + ℓ2) for k > ℓ > 0, (k, ℓ) = 1, k ≡ ℓ mod 2. k ℓ (a, b, c)

1 2ab

Squarefree part 2 1 (3, 4, 5) 6 6 4 1 (15, 8, 17) 60 15 3 2 (5, 12, 13) 30 30 6 1 (35, 12, 37) 210 210 5 2 (21, 20, 29) 210 210 4 3 (7, 24, 25) 84 21 8 1 (63, 16, 65) 504 126 7 2 (45, 28, 53) 630 70 5 4 (9, 40, 41) 180 5

September 2019

10

Some obervations

Any squarefree congruent integer will eventually occur in the table. The numbers in the table do not seem to follow a clear pattern.

53 is a congruent number, but it shows up for the first time when k = 1873180325 and ℓ = 1158313156. The corresponding right triangle has area 53 · 2978556542849787902.

Some numbers occur several times.

Hmm, how many times?

September 2019

11

Search for congruent numbers

We have the system of equations

• a2 + b2

= c2 ab/2 = n . Some rewriting:

a + b

2

2

= a2 + 2ab + b2 4 = c2 + 4n 4 =

c

2

2

+ n ,

a − b

2

2

= a2 − 2ab + b2 4 = c2 − 4n 4 =

c

2

2

− n . The rational squares (a−b

2 )2, ( c 2)2 and (a+b 2 )2 form an

arithmetic sequence with difference n. Denoting x = (c

2)2, we get that x − n, x and x + n are squares.

Consequently, so is (x − n)x(x + n) = x3 − n2x. Thus, every congruent n leads to rational solutions of the equation y2 = x3 − n2x.

September 2019

12

The converse is also true

The equations of the system

• a2 + b2

= c2 ab/2 = n can be viewed as equations of two surfaces in a 3D space. Their intersection gives a line. With an appropriate change of variables, it can be converted to y2 = x3 − n2x.

September 2019

13

The converse is also true

The equations of the system

• a2 + b2

= c2 ab/2 = n can be viewed as equations of two surfaces in a 3D space. Their intersection gives a line. With an appropriate change of variables, it can be converted to y2 = x3 − n2x.

Theorem

For n ∈ Z, n > 0, there is 1-1 correspondence between the sets {(a, b, c) : a2+b2 = c2, ab 2 = n} and {(x, y) : y2 = x3−n2x, y = 0}. The correspondence can be implemented by (a, b, c) →

• nb

c − a, 2n2 c − a

• , (x, y) →
• x2 − n2

y , 2nx y , x2 + n2 y

• .

September 2019

13

Applying the theorem to do magic

We saw that Pythagorean triangles (35, 12, 37) and (21, 20, 29) both have area 210. Applying the Theorem, they give two points on the curve y2 = x3 − 2102x, namely (1260, 44100) and (525, 11025). The line through these points is y = 45x − 12600. It also intersects the curve in the third point. Replacing y: (45x − 12600)2 = x3 − 2102x , x3 − 2025x2 ± . . . = 0 . From Vi` ete formulae we get x1 + x2 + x3 = 2025, hence x3 = 240 and y3 = 45 · 240 − 12600 = −1800. The point (240, −1800) gives a, b, c < 0, but its reflection from x-axis (240, 1800) is also on the curve and gives a new right triangle (15

2 , 56, 113 2 ) with area 210.

September 2019

14

An operation on elliptic curve points

• P
• Q
• P ⊕ Q

September 2019

15

The case P = Q

• P
• P ⊕ P

September 2019

16

Neutral and opposite elements

O

• P
• −P

September 2019

17

The curve y 2 = x3 − 5x + 8 over R

September 2019

18

The curve y 2 = x3 − 5x + 8 over GF(37)

September 2019

19

The elliptic curve point group

The operation ⊕ turns out to be commutative and associative, it also has a neutral element and opposite elements. All in all, we get a (commutative) group. In case of an elliptic curve defined over a finite field, we define “tangents” using explicit formulae obtained via formal differentiation. Hasse’s theorem states that an elliptic curve group defined over a q-element finite field has N elements where |N − (q + 1)| ≤ 2√q .

September 2019

20

The elliptic curve point group

The operation ⊕ turns out to be commutative and associative, it also has a neutral element and opposite elements. All in all, we get a (commutative) group. In case of an elliptic curve defined over a finite field, we define “tangents” using explicit formulae obtained via formal differentiation. Hasse’s theorem states that an elliptic curve group defined over a q-element finite field has N elements where |N − (q + 1)| ≤ 2√q . Homework: We know that the (3, 4, 5)-triangle has area 6. Find another rational right triangle with area 6.

September 2019

20

Elliptic curve DL problem

For a curve point P and integer k > 0 define [k]P = P ⊕ P ⊕ . . . ⊕ P

• k

.

September 2019

21

Elliptic curve DL problem

For a curve point P and integer k > 0 define [k]P = P ⊕ P ⊕ . . . ⊕ P

• k

.

Elliptic curve DL problem

Given points P and Q on the elliptic curve, find integer k such that Q = [k]P.

September 2019

21

Elliptic curve DL problem

For a curve point P and integer k > 0 define [k]P = P ⊕ P ⊕ . . . ⊕ P

• k

.

Elliptic curve DL problem

Given points P and Q on the elliptic curve, find integer k such that Q = [k]P. It turns out that a well-chosen elliptic curve point group behaves like a generic one w.r.t. the DL problem. The best algorithms for a good EC group of order ≈ 2256 require ≈ 2128 group operations. This allows for short ECC keys.

September 2019

21

ECDH key exchange

ECC group G, point P ∈ G a ∈ Z b ∈ Z [a]P [b]P [a]([b]P) = [ab]P = [b]([a]P)

September 2019

22

ECIES protocol

ECIES (Elliptic Curve Integrated Encryption Scheme) uses the structure of ECDH for key agreement, with the recipient public key being typically static and coming from his public key certificate. The agreed-upon group element will then be used as input to the Key Derivation Function (KDF) to produce a symmetric (typically AES) key that is used for actual encryption. Static public key means that that the protocol can not be forward-secure.

September 2019

23

Estonian ID card curve

Estonian ID card uses the curve P-384 defined by the equation y2 = x3 − 3x + b mod p , where p = 2384 − 2128 − 296 + 232 − 1 and b = b3312fa7e23ee7e4988e056be3f 82d19181d9c6efe814112 0314088f 5013875ac656398d8a2ed19d2a85c8edd3ec2aef The coordinates for the base point G are Gx = aa87ca22be8b05378eb1c71ef 320ad746e1d3b628ba79b98 59f 741e082542a385502f 25dbf 55296c3a545e3872760ab7 Gy = 3617de4a96262c6f 5d9e98bf 9292dc29f 8f 41dbd289a147c e9da3113b5f 0b8c00a60b1ce1d7e819d7a431d7c90ea0e5f

September 2019

24

Epliogue: The method of tangents (I)

Diophantus Arithmetica, book IV, problem 24

Divide a given number into two numbers such that their product is a cube minus its side.

September 2019

25

Epliogue: The method of tangents (I)

Diophantus Arithmetica, book IV, problem 24

Divide a given number into two numbers such that their product is a cube minus its side. In modern terms, given a ∈ Q, find a rational point on curve x(a − x) = y3 − y .

September 2019

25

Epliogue: The method of tangents (II)

The equation x(a − x) = y3 − y has a trivial solution (0, −1).

September 2019

26

Epliogue: The method of tangents (II)

The equation x(a − x) = y3 − y has a trivial solution (0, −1). Through this point, draw a line y = kx − 1 (Diophantus initially takes k = 2 here) and find its intersection with the curve: ax − x2 = y3 − y = k3x3 − 3k2x2 + 2kx .

September 2019

26

Epliogue: The method of tangents (II)

The equation x(a − x) = y3 − y has a trivial solution (0, −1). Through this point, draw a line y = kx − 1 (Diophantus initially takes k = 2 here) and find its intersection with the curve: ax − x2 = y3 − y = k3x3 − 3k2x2 + 2kx . For x to be rational, it suffices to make the coefficients of x equal, i.e. to put k = a/2. Then −x2 = k3x3 − 3k2x2 giving (besides the double solution of x = 0) x = 3k2 − 1 k3 = 23a2 − 4 a3 .

September 2019

26

Epliogue: The method of tangents (II)

The equation x(a − x) = y3 − y has a trivial solution (0, −1). Through this point, draw a line y = kx − 1 (Diophantus initially takes k = 2 here) and find its intersection with the curve: ax − x2 = y3 − y = k3x3 − 3k2x2 + 2kx . For x to be rational, it suffices to make the coefficients of x equal, i.e. to put k = a/2. Then −x2 = k3x3 − 3k2x2 giving (besides the double solution of x = 0) x = 3k2 − 1 k3 = 23a2 − 4 a3 . The line y = a

2x −1 is a tangent to the curve x(a −x) = y3 −y!

September 2019

26

Epliogue: The method of secants (I)

Diophantus Arithmetica, book IV, problem 26

Find two [rational] numbers such that their product augmented by either gives a cube.

September 2019

27

Epliogue: The method of secants (I)

Diophantus Arithmetica, book IV, problem 26

Find two [rational] numbers such that their product augmented by either gives a cube. Let a, x ∈ Q. If we take one of the numbers to be a3x and the

• ther x2 − 1 then their product augmented by the first number

a3x(x2 − 1) + a3x = a3x3 gives a (rational) cube.

September 2019

27

Epliogue: The method of secants (I)

Diophantus Arithmetica, book IV, problem 26

Find two [rational] numbers such that their product augmented by either gives a cube. Let a, x ∈ Q. If we take one of the numbers to be a3x and the

• ther x2 − 1 then their product augmented by the first number

a3x(x2 − 1) + a3x = a3x3 gives a (rational) cube. It remains to find a rational solution to the equation a3x3 + x2 − a3x − 1 = y3 .

September 2019

27

Epliogue: The method of secants (II)

It remains to find a rational solution to the equation a3x3 + x2 − a3x − 1 = y3 . The curve has a rational point (0, −1). Draw a straight line y = kx − 1 through it. Intersecting the curve and the line gives (a3 − k3)x3 + (1 + 3k2)x2 − (a3 + 3k)x = 0 .

September 2019

28

Epliogue: The method of secants (II)

It remains to find a rational solution to the equation a3x3 + x2 − a3x − 1 = y3 . The curve has a rational point (0, −1). Draw a straight line y = kx − 1 through it. Intersecting the curve and the line gives (a3 − k3)x3 + (1 + 3k2)x2 − (a3 + 3k)x = 0 . To get a rational solution, make the coefficient of x3 equal to 0, i.e. take k = a. Besides x = 0, the remaining equation gives x = a3 + 3a 1 + 3a2 .

September 2019

28

Epliogue: The method of secants (III)

Where are three intersection points?

September 2019

29

Epliogue: The method of secants (IV)

Rewrite the equation of the curve in the homogeneous coordinates u, v, z, i.e. make the substitution x = u/z, y = v/z: a3u3 + u2z − a3uz2 − z3 = v3 . This curve has points P1(0, −1, 1) (corresponding to the ”regular” point (0, −1)) and P2(1, a, 0) which is an infinity point!

September 2019

30

Epliogue: The method of secants (IV)

Rewrite the equation of the curve in the homogeneous coordinates u, v, z, i.e. make the substitution x = u/z, y = v/z: a3u3 + u2z − a3uz2 − z3 = v3 . This curve has points P1(0, −1, 1) (corresponding to the ”regular” point (0, −1)) and P2(1, a, 0) which is an infinity point! In general, algebraic (including elliptic) curves are often treated in homogeneous coordinates, because the infinity point does not need special treatment then.

September 2019

30

The cannonball problem

For which values of n does the cannonball pyramid of n layers contain a square number of cannonballs?

September 2019

31

12 + 22 + . . . + n2 = 1

6n(n + 1)(2n + 1)

September 2019

32

12 + 22 + . . . + n2 = 1

6n(n + 1)(2n + 1)

September 2019

32

y 2 = 1

6x(x + 1)(2x + 1)

The curve contains points (0, 0) and (1, 1).

September 2019

33

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x.

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x. The lines y2 = 1

6x(x + 1)(2x + 1) and y = x meet again at

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x. The lines y2 = 1

6x(x + 1)(2x + 1) and y = x meet again at

(1

2, 1 2).

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x. The lines y2 = 1

6x(x + 1)(2x + 1) and y = x meet again at

(1

2, 1 2).

By symmetry, the curve also contains the point

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x. The lines y2 = 1

6x(x + 1)(2x + 1) and y = x meet again at

(1

2, 1 2).

By symmetry, the curve also contains the point ( 1

2, −1 2).

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x. The lines y2 = 1

6x(x + 1)(2x + 1) and y = x meet again at

(1

2, 1 2).

By symmetry, the curve also contains the point ( 1

2, −1 2).

The line through (1, 1) and (1

2, −1 2) has equation

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x. The lines y2 = 1

6x(x + 1)(2x + 1) and y = x meet again at

(1

2, 1 2).

By symmetry, the curve also contains the point ( 1

2, −1 2).

The line through (1, 1) and (1

2, −1 2) has equation y = 3x − 2.

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x. The lines y2 = 1

6x(x + 1)(2x + 1) and y = x meet again at

(1

2, 1 2).

By symmetry, the curve also contains the point ( 1

2, −1 2).

The line through (1, 1) and (1

2, −1 2) has equation y = 3x − 2.

The lines y2 = 1

6x(x + 1)(2x + 1) and y = 3x − 2 meet again

at

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x. The lines y2 = 1

6x(x + 1)(2x + 1) and y = x meet again at

(1

2, 1 2).

By symmetry, the curve also contains the point ( 1

2, −1 2).

The line through (1, 1) and (1

2, −1 2) has equation y = 3x − 2.

The lines y2 = 1

6x(x + 1)(2x + 1) and y = 3x − 2 meet again

at (24, 70).

September 2019

34

Solving the cannonball problem

The line through (0, 0) and (1, 1) has equation y = x. The lines y2 = 1

6x(x + 1)(2x + 1) and y = x meet again at

(1

2, 1 2).

By symmetry, the curve also contains the point ( 1

2, −1 2).

The line through (1, 1) and (1

2, −1 2) has equation y = 3x − 2.

The lines y2 = 1

6x(x + 1)(2x + 1) and y = 3x − 2 meet again

at (24, 70). It can be shown that x = 0, x = 1 and x = 24 are the only integer solutions to the cannonball problem.

September 2019

34