finding cryptographically strong elliptic curves
play

Finding Cryptographically Strong Elliptic Curves An Introduction - PowerPoint PPT Presentation

Apr 29, 2023 •244 likes •662 views

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de

  1. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math´ ematiques de Luminy, Universit´ e de la M´ editerran´ ee Aix-Marseille II School of Mathematics and Statistics, University of Sydney Crypto’puces, 2009 Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  2. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Outline 1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  3. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Outline 1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  4. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Elliptic curves I Let F q be a finite field, where q = p d , p is prime, d is positive. An elliptic curve over F q is the set of points ( x , y ) ∈ F 2 q that satisfy the equation y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 , together with a special point called the point at infinity . Here, a 1 , a 2 , a 3 , a 4 and a 6 are elements of F q . The discriminant of the equation must be nonzero. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  5. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Elliptic curves II The points on an elliptic curve form a group with identity element being the point at infinity. Denote the group law on a curve by ⊕ . Denote scalar multiplication by n of a point P by [ n ] P = P ⊕ P ⊕ · · · ⊕ P � �� � n times Elliptic curves thus provide a plentiful source of groups for use in cryptography. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  6. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Discrete logarithm problem I Let E be an elliptic curve over F q . Suppose that G generates a cyclic subgroup C of E ( F q ), i.e. C is the (finite) set � � C = 0 , G , [2] G , [3] G , . . . . If Q ∈ C , then there is a number n such that [ n ] G = Q . The discrete logarithm problem (DLP) is the problem of finding n given G and Q . Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  7. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Discrete logarithm problem II Let C be a cyclic subgroup of E ( F q ) containing ℓ points. Suppose further that ℓ is prime. With a few exceptions, the best known algorithms to solve the DLP in C take about 2 n / 2 operations when ℓ is an n -bit number. We will talk about the exceptions in the next section. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  8. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Domain parameters Let E be an elliptic over F q , where q = p d . Then the parameters of interest are the prime p and the positive integer d that define F q ; the coefficients a 1 , a 2 , a 3 , a 4 and a 6 that define E ; a point G on E that generates a (large) cyclic subgroup of E ( F q ); and the number of points ℓ in the cyclic subgroup generated by G . Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  9. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange I Suppose Alice and Bob wish to generate a shared secret, perhaps for use with a symmetric cipher. The setup (which need only be done once) is: They agree on the domain parameters (from previous slide). They each generate a key pair , consisting of a random number k between 1 and ℓ − 1 (the private key ); and the point P = [ k ] G (the public key ) on E . Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  10. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  11. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  12. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  13. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  14. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  15. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  16. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Outline 1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  17. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Key size and security I Key size of a cipher does not equal the security of the cipher. The key size is the bit length of the keys used. The security of the cipher is a (logarithmic) measure of the number of operations needed for the fastest known algorithm to break the cipher. For (most modern) symmetric ciphers, these are usually the same. For (all existing) public key ciphers these are never the same. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA

Rational Points on Modular Elliptic Curves I. Elliptic Curves Hedrick Lecture Series MAA MathFest Boulder, Colorado August 2003 http://www.math.mcgill.ca/darmon /slides/slides.html Elliptic Curves Definition : An elliptic curve over the

494 views • 26 slides
Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Weierstra Equations 2 d 4 16 ( 1 t 2 / 4 ) Singular points

Elliptic curves over F q Introduction History length of ellipses why Elliptic curves? Fields Weierstra Equations Singular points The Discriminant E LLIPTIC CURVES OVER FINITE FIELDS Elliptic curves / F 2 Elliptic curves / F 3 The sum of

660 views • 32 slides
Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of

Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of

Curves Over Q ( 5) Stein Elliptic Curves over Q ( 5) William Stein, University of Washington (This is part of the NSF-funded AIM FRG project on Databases of L -functions) February 2011 Curves Over Q ( 5) Stein 1. Finding

536 views • 34 slides
Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known

Well-known forms of elliptic curves Toric forms of elliptic curves Forms of elliptic curves Wouter Castryck Forms of elliptic curves First definitions Well-known forms of elliptic curves Projective coordinates Toric forms of elliptic curves

478 views • 46 slides
Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo

Elliptic Curves in Sage Elliptic Curves in Sage William Stein Sage Project Functionality William Stein Demo Questions? October 19 at ECC 2010 Lowest (known) conductor elliptic curves of ranks 0,1,2,3,4 Abstract Elliptic Curves in Sage

628 views • 14 slides
Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex

Lecture 11: Elliptic curves and their moduli May 26, 2020 1 / 9 Elliptic curves and complex tori E a , b : y 2 x 3 ` ax ` b , 4 a 3 ` 27 b 2 0 4 a 3 j p E a , b q 1728 4 a 3 ` 27 b 2 Theorem. The map z r p z q : 1 2 1 p

646 views • 9 slides
Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft

Isogenies and endomorphism rings of elliptic curves ECC Summer School Damien Robert Microsoft Research 15 / 09 / 2011 (Nancy) 2 / 66 Outline 1 Isogenies on elliptic curves 2 Endomorphisms 3 Supersingular elliptic curves 4 Abelian varieties

1.84k views • 79 slides
The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards

What is an elliptic curve? Elliptic Curves in Cryptography. ECDLP resolution. -Pollard and CUDA. Conclusions The Elliptic Curves Discrete Logarithm Problem and an implementation of parallelized Pollards algorithm for ECDLP Alberto

1.52k views • 103 slides
Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation

Deterministic Generation of Elliptic Curves (a.k.a. "NUMS" Curves) Motivation Reduced customer confidence in NIST-standardized curves (FIPS 186-3) Industry moving to Perfect Forward Secrecy (PFS) ciphersuites (e.g. ECDHE)

306 views • 11 slides
Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration

Faltings Heights of CM Elliptic Curves Tyler Genao Florida Atlantic University In collaboration with Adrian Barquero-Sanchez, Lindsay Cadwallader, Olivia Cannon, Riad Masri Tyler Genao Faltings Heights of CM Elliptic Curves Elliptic Curves

571 views • 41 slides
Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School

Elliptic Curves II Reinier Br oker Fields Institute & University of Calgary Summer School before ECC September 2006 Elliptic curves An elliptic curve E over a field K is given by a Weierstra equation Y 2 + h ( X ) Y = f ( X ) with h, f

416 views • 13 slides
The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick

The symplectic type of congruences between elliptic curves John Cremona University of Warwick joint work with Nuno Freitas (Warwick) AGC 2 T Luminy, 10 June 2019 Overview 1. Elliptic curves, mod p Galois representations, Weil pairing. 2.

954 views • 70 slides
Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j

Elliptic curves over F q F. Pappalardi Lecture 2 Elliptic curves over finite fields The Group structure Reminder from Monday the j -invariant Research School: Algebraic curves over finite fields Points of finite order

581 views • 29 slides
Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves

Recent Advances in Parallel Implementations of Scalar Multiplication over Binary Elliptic Curves C. Negre and J.M. Robert april 8, 2015 1 / 39 Outline Overview of elliptic curve cryptography 1 Implementation of F 2 m arithmetic 2 Elliptic

781 views • 75 slides
Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a

Elliptic Curves over the Rational Mordells Theorem Numbers Q An elliptic curve is a nonsingular plane cu- Theorem (Mordell). The group E ( Q ) of rational points on an bic curve with a rational point (possibly at elliptic curve is a

402 views • 7 slides
Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is

Curves Over Q ( 5) Elliptic Curves over Q ( 5) Stein William Stein, University of Washington This is part of the NSF-funded AIM FRG project on Databases of L -functions. This talk had much valuable input from Noam Elkies, John Voight,

567 views • 40 slides
Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve

Cryptography Elliptic Curve Cryptography Overview of Elliptic Curve Cryptography Elliptic Curve Cryptography Applications of Elliptic Curve Cryptography Elliptic Curve Cryptography Cryptography in OpenSSL School of Engineering and

857 views • 17 slides
Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Quick Review: Quadratic Residues Koblitzs Method We want to solve equations like: All of the

Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1)

337 views • 5 slides
Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July

Elliptic-curve cryptography Tanja Lange Technische Univesiteit Eindhoven The Netherlands July 23, 2014 1 / 12 Elliptic-curve cryptography: signatures and key exchange Given: some elliptic curve E , point P on E of known order . Key

885 views • 16 slides
elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June

A gentle introduction to elliptic curve cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 11, 2018 ibenik , Croatia Part 1: Motivation Part 2: Elliptic Curves Part 3: Elliptic Curve Cryptography Part 4:

1.38k views • 48 slides
Ellip%c Curve Cryptography Chester Rebeiro IIT Madras Slides borrowed from Prof. D.

Ellip%c Curve Cryptography Chester Rebeiro IIT Madras Slides borrowed from Prof. D.

Ellip%c Curve Cryptography Chester Rebeiro IIT Madras Slides borrowed from Prof. D. Mukhopadhyay, IIT Kharagpur Ref: NPTEL course by the same professor available on youtube ECC vs RSA 2 Lets start with a puzzle What is the number of

753 views • 25 slides
High-speed Define 19; prime. elliptic-curve cryptography Define = 358990. Define 1 Curve :

High-speed Define 19; prime. elliptic-curve cryptography Define = 358990. Define 1 Curve :

= 2 255 High-speed Define 19; prime. elliptic-curve cryptography Define = 358990. Define 1 Curve : Z 0 1 by D. J. Bernstein th multiple coordinate of

606 views • 45 slides
Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview

Bitcoin II & Introduction to Elliptic Curve Cryptography Sep. 11, 2019 Overview Bitcoin Transactions Elliptic Curve Cryptography Introduction Arithmetics Signature Bitcoin, the protocol A blockchain Each

992 views • 52 slides
A Finite Field Example Over F p geometric pictures dont make sense. Example Let E : y 2 = x 3

A Finite Field Example Over F p geometric pictures dont make sense. Example Let E : y 2 = x 3

E LLIPTIC CURVES C RYPTOGRAPHY F RANCESCO P APPALARDI #3 - T HIRD L ECTURE . J UNE 18 TH 2019 WAMS S CHOOL : O I NTRODUCTORY TOPICS IN N UMBER T HEORY AND D IFFERENTIAL G EOMETRY King Khalid University Abha, Saudi Arabia A Finite Field Example

404 views • 13 slides

More recommend