finding cryptographically strong elliptic curves
play

Finding Cryptographically Strong Elliptic Curves An Introduction - PowerPoint PPT Presentation

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math ematiques de


  1. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Finding Cryptographically Strong Elliptic Curves An Introduction Hamish Ivey-Law hlaw@iml.univ-mrs.fr Institute de Math´ ematiques de Luminy, Universit´ e de la M´ editerran´ ee Aix-Marseille II School of Mathematics and Statistics, University of Sydney Crypto’puces, 2009 Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  2. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Outline 1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  3. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Outline 1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  4. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Elliptic curves I Let F q be a finite field, where q = p d , p is prime, d is positive. An elliptic curve over F q is the set of points ( x , y ) ∈ F 2 q that satisfy the equation y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 , together with a special point called the point at infinity . Here, a 1 , a 2 , a 3 , a 4 and a 6 are elements of F q . The discriminant of the equation must be nonzero. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  5. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Elliptic curves II The points on an elliptic curve form a group with identity element being the point at infinity. Denote the group law on a curve by ⊕ . Denote scalar multiplication by n of a point P by [ n ] P = P ⊕ P ⊕ · · · ⊕ P � �� � n times Elliptic curves thus provide a plentiful source of groups for use in cryptography. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  6. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Discrete logarithm problem I Let E be an elliptic curve over F q . Suppose that G generates a cyclic subgroup C of E ( F q ), i.e. C is the (finite) set � � C = 0 , G , [2] G , [3] G , . . . . If Q ∈ C , then there is a number n such that [ n ] G = Q . The discrete logarithm problem (DLP) is the problem of finding n given G and Q . Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  7. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Discrete logarithm problem II Let C be a cyclic subgroup of E ( F q ) containing ℓ points. Suppose further that ℓ is prime. With a few exceptions, the best known algorithms to solve the DLP in C take about 2 n / 2 operations when ℓ is an n -bit number. We will talk about the exceptions in the next section. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  8. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Domain parameters Let E be an elliptic over F q , where q = p d . Then the parameters of interest are the prime p and the positive integer d that define F q ; the coefficients a 1 , a 2 , a 3 , a 4 and a 6 that define E ; a point G on E that generates a (large) cyclic subgroup of E ( F q ); and the number of points ℓ in the cyclic subgroup generated by G . Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  9. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange I Suppose Alice and Bob wish to generate a shared secret, perhaps for use with a symmetric cipher. The setup (which need only be done once) is: They agree on the domain parameters (from previous slide). They each generate a key pair , consisting of a random number k between 1 and ℓ − 1 (the private key ); and the point P = [ k ] G (the public key ) on E . Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  10. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  11. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  12. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  13. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  14. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  15. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Basic key exchange II Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let ( P A , k A ) be Alice’s key pair and ( P B , k B ) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes ( x A , y A ) = [ k A ] P B and Bob computes ( x B , y B ) = [ k B ] P A . Then x A = x B is the shared secret. In order to break the algorithm, an attacker would need to calculate k A from [ k A ] G or k B from [ k B ] G , which involves solving the DLP. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  16. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Outline 1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

  17. Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves Key size and security I Key size of a cipher does not equal the security of the cipher. The key size is the bit length of the keys used. The security of the cipher is a (logarithmic) measure of the number of operations needed for the fastest known algorithm to break the cipher. For (most modern) symmetric ciphers, these are usually the same. For (all existing) public key ciphers these are never the same. Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend


More recommend