Finding Cryptographically Strong Elliptic Curves An Introduction - - PowerPoint PPT Presentation

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Finding Cryptographically Strong Elliptic Curves

An Introduction Hamish Ivey-Law

hlaw@iml.univ-mrs.fr

Institute de Math´ ematiques de Luminy, Universit´ e de la M´ editerran´ ee Aix-Marseille II School of Mathematics and Statistics, University of Sydney

Crypto’puces, 2009

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Outline

1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Outline

1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Elliptic curves I

Let Fq be a finite field, where q = pd, p is prime, d is positive. An elliptic curve over Fq is the set of points (x, y) ∈ F2

q that

satisfy the equation y2 + a1xy + a3y = x3 + a2x2 + a4x + a6, together with a special point called the point at infinity. Here, a1, a2, a3, a4 and a6 are elements of Fq. The discriminant of the equation must be nonzero.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Elliptic curves II

The points on an elliptic curve form a group with identity element being the point at infinity. Denote the group law on a curve by ⊕. Denote scalar multiplication by n of a point P by [n]P = P ⊕ P ⊕ · · · ⊕ P

• n times

Elliptic curves thus provide a plentiful source of groups for use in cryptography.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Discrete logarithm problem I

Let E be an elliptic curve over Fq. Suppose that G generates a cyclic subgroup C of E(Fq), i.e. C is the (finite) set C =

• 0, G, [2]G, [3]G, . . .
• .

If Q ∈ C, then there is a number n such that [n]G = Q. The discrete logarithm problem (DLP) is the problem of finding n given G and Q.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Discrete logarithm problem II

Let C be a cyclic subgroup of E(Fq) containing ℓ points. Suppose further that ℓ is prime. With a few exceptions, the best known algorithms to solve the DLP in C take about 2n/2 operations when ℓ is an n-bit number. We will talk about the exceptions in the next section.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Domain parameters

Let E be an elliptic over Fq, where q = pd. Then the parameters

• f interest are

the prime p and the positive integer d that define Fq; the coefficients a1, a2, a3, a4 and a6 that define E; a point G on E that generates a (large) cyclic subgroup

• f E(Fq); and

the number of points ℓ in the cyclic subgroup generated by G.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Basic key exchange I

Suppose Alice and Bob wish to generate a shared secret, perhaps for use with a symmetric cipher. The setup (which need only be done once) is: They agree on the domain parameters (from previous slide). They each generate a key pair, consisting of

a random number k between 1 and ℓ − 1 (the private key); and the point P = [k]G (the public key) on E.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Basic key exchange II

Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let (PA, kA) be Alice’s key pair and (PB, kB) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes (xA, yA) = [kA]PB and Bob computes (xB, yB) = [kB]PA. Then xA = xB is the shared secret. In order to break the algorithm, an attacker would need to calculate kA from [kA]G or kB from [kB]G, which involves solving the DLP.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Basic key exchange II

Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let (PA, kA) be Alice’s key pair and (PB, kB) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes (xA, yA) = [kA]PB and Bob computes (xB, yB) = [kB]PA. Then xA = xB is the shared secret. In order to break the algorithm, an attacker would need to calculate kA from [kA]G or kB from [kB]G, which involves solving the DLP.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Basic key exchange II

Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let (PA, kA) be Alice’s key pair and (PB, kB) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes (xA, yA) = [kA]PB and Bob computes (xB, yB) = [kB]PA. Then xA = xB is the shared secret. In order to break the algorithm, an attacker would need to calculate kA from [kA]G or kB from [kB]G, which involves solving the DLP.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Basic key exchange II

Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let (PA, kA) be Alice’s key pair and (PB, kB) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes (xA, yA) = [kA]PB and Bob computes (xB, yB) = [kB]PA. Then xA = xB is the shared secret. In order to break the algorithm, an attacker would need to calculate kA from [kA]G or kB from [kB]G, which involves solving the DLP.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Basic key exchange II

Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let (PA, kA) be Alice’s key pair and (PB, kB) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes (xA, yA) = [kA]PB and Bob computes (xB, yB) = [kB]PA. Then xA = xB is the shared secret. In order to break the algorithm, an attacker would need to calculate kA from [kA]G or kB from [kB]G, which involves solving the DLP.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Basic key exchange II

Alice and Bob can now use the Elliptic Curve Diffie-Hellman (ECDH) key exchange protocol: Let (PA, kA) be Alice’s key pair and (PB, kB) be Bob’s key pair. Alice and Bob must be in possesion of each others public keys, which are safe to transmit over an insecure channel. Alice computes (xA, yA) = [kA]PB and Bob computes (xB, yB) = [kB]PA. Then xA = xB is the shared secret. In order to break the algorithm, an attacker would need to calculate kA from [kA]G or kB from [kB]G, which involves solving the DLP.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Outline

1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Key size and security I

Key size of a cipher does not equal the security of the cipher. The key size is the bit length of the keys used. The security of the cipher is a (logarithmic) measure of the number of operations needed for the fastest known algorithm to break the cipher. For (most modern) symmetric ciphers, these are usually the same. For (all existing) public key ciphers these are never the same.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Key size and security I

Key size of a cipher does not equal the security of the cipher. The key size is the bit length of the keys used. The security of the cipher is a (logarithmic) measure of the number of operations needed for the fastest known algorithm to break the cipher. For (most modern) symmetric ciphers, these are usually the same. For (all existing) public key ciphers these are never the same.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Key size and security I

Key size of a cipher does not equal the security of the cipher. The key size is the bit length of the keys used. The security of the cipher is a (logarithmic) measure of the number of operations needed for the fastest known algorithm to break the cipher. For (most modern) symmetric ciphers, these are usually the same. For (all existing) public key ciphers these are never the same.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Key size and security I

Key size of a cipher does not equal the security of the cipher. The key size is the bit length of the keys used. The security of the cipher is a (logarithmic) measure of the number of operations needed for the fastest known algorithm to break the cipher. For (most modern) symmetric ciphers, these are usually the same. For (all existing) public key ciphers these are never the same.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Key size and security II

How big do we need to make the public and private keys to attain a given level of security? Key size Security level Symmetric Cipher FFC IFC ECC 128 AES-128 3072 / 256 3072 256 192 AES-192 7680 / 384 7680 384 256 AES-256 15360 / 512 15360 512 FFC = finite field ciphers (e.g. DSA, D-H) IFC = integer factorisation ciphers (e.g. RSA) ECC = elliptic curve ciphers (e.g. ECDH, ECDSA) (Table from NIST key management recommendations, 2006.)

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Key size and security III

Using 512-bit keys instead of 15360-bit keys to achieve 256-bit security is obviously an advantage in general, but it may even be necessary in constrained environments that have low storage capacity, bandwidth or power consumption limits.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

What curves should we avoid?

The DLP turns out to be easier on some curves. Let E be an elliptic curve over Fpd, and C a cyclic subgroup of E(Fpd) containing ℓ points. To achieve n-bit security using C, ℓ must be bigger than 22n; ℓ must be prime; ℓ must be different to p; if k is the smallest number such that ℓ | (qk − 1), then k should be at least 1000; d must be either 1 (in which case q itself is prime) or a large

• prime. In the latter case the number 2 should have large order

modulo d.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

What curves should we avoid?

The DLP turns out to be easier on some curves. Let E be an elliptic curve over Fpd, and C a cyclic subgroup of E(Fpd) containing ℓ points. To achieve n-bit security using C, ℓ must be bigger than 22n; ℓ must be prime; ℓ must be different to p; if k is the smallest number such that ℓ | (qk − 1), then k should be at least 1000; d must be either 1 (in which case q itself is prime) or a large

• prime. In the latter case the number 2 should have large order

modulo d.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

What curves should we avoid?

The DLP turns out to be easier on some curves. Let E be an elliptic curve over Fpd, and C a cyclic subgroup of E(Fpd) containing ℓ points. To achieve n-bit security using C, ℓ must be bigger than 22n; ℓ must be prime; ℓ must be different to p; if k is the smallest number such that ℓ | (qk − 1), then k should be at least 1000; d must be either 1 (in which case q itself is prime) or a large

• prime. In the latter case the number 2 should have large order

modulo d.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

What curves should we avoid?

The DLP turns out to be easier on some curves. Let E be an elliptic curve over Fpd, and C a cyclic subgroup of E(Fpd) containing ℓ points. To achieve n-bit security using C, ℓ must be bigger than 22n; ℓ must be prime; ℓ must be different to p; if k is the smallest number such that ℓ | (qk − 1), then k should be at least 1000; d must be either 1 (in which case q itself is prime) or a large

• prime. In the latter case the number 2 should have large order

modulo d.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

What curves should we avoid?

The DLP turns out to be easier on some curves. Let E be an elliptic curve over Fpd, and C a cyclic subgroup of E(Fpd) containing ℓ points. To achieve n-bit security using C, ℓ must be bigger than 22n; ℓ must be prime; ℓ must be different to p; if k is the smallest number such that ℓ | (qk − 1), then k should be at least 1000; d must be either 1 (in which case q itself is prime) or a large

• prime. In the latter case the number 2 should have large order

modulo d.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Outline

1 Elliptic curve cryptography 2 Secure domain parameters 3 Case study: finding secure Edwards curves

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Why bother when we could use NISTs published curves?

NIST provides only one random curve and one Koblitz curve over a 512-bit field. We might want more variety. We might want to use special models (e.g. Edwards curves).

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Why bother when we could use NISTs published curves?

NIST provides only one random curve and one Koblitz curve over a 512-bit field. We might want more variety. We might want to use special models (e.g. Edwards curves).

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Edwards curves I

An Edwards curve over Fpm (with p = 2) has the special form x2 + y2 = 1 + dx2y2, where d is in Fpm; d is not a square in Fpm. They have been generalised to binary fields (i.e. p = 2) when m ≥ 3.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Edwards curves II

Edwards curves have some desireable properties: many elliptic curves have an Edwards curve model; addition on Edwards curves is given by a single equation; and addition on Edwards curves is very fast. Note however that an Edwards curve always has a subgroup of

• rder 4, so #E(Fq) is never prime.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Point counting algorithms

The most time-consuming part of finding elliptic curves that satisfy the aforementioned security properties is the calculation of the number of points in E(Fq) (from which we get the order of the cyclic subgroup C). There is a choice: ℓ-adic methods (e.g. SEA); or p-adic methods (e.g. Satoh, Kedlaya, AGM). In general, the p-adic methods are faster, but only the SEA algorithm allows us to “short circuit” the computation when certain factors #E(Fq) are found.

Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Generating secure Edwards curves

1 Select a random number d from Fq. 2 Let E be the Edwards curve x2 + y2 = 1 + dx2y2. 3 Let E : y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 be a

Weierstraß model for E.

4 Count the number of points on E using the SEA algorithm,

allowing a factor of 4 but “short circuiting” otherwise.

5 If SEA short circuited, start again with a different d,

• therwise we have #E(Fq) = 4ℓ for some prime ℓ.

6 Keep picking random points on E until one is found with

• rder bigger than 4. Any such point with generate the cyclic

subgroup of order ℓ.

7 Check that the parameters pass the aforementioned security

properties.

8 If all is well, we can use E for cryptography! Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Generating secure Edwards curves

1 Select a random number d from Fq. 2 Let E be the Edwards curve x2 + y2 = 1 + dx2y2. 3 Let E : y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 be a

Weierstraß model for E.

4 Count the number of points on E using the SEA algorithm,

allowing a factor of 4 but “short circuiting” otherwise.

5 If SEA short circuited, start again with a different d,

• therwise we have #E(Fq) = 4ℓ for some prime ℓ.

6 Keep picking random points on E until one is found with

• rder bigger than 4. Any such point with generate the cyclic

subgroup of order ℓ.

7 Check that the parameters pass the aforementioned security

properties.

8 If all is well, we can use E for cryptography! Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Generating secure Edwards curves

1 Select a random number d from Fq. 2 Let E be the Edwards curve x2 + y2 = 1 + dx2y2. 3 Let E : y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 be a

Weierstraß model for E.

4 Count the number of points on E using the SEA algorithm,

allowing a factor of 4 but “short circuiting” otherwise.

5 If SEA short circuited, start again with a different d,

• therwise we have #E(Fq) = 4ℓ for some prime ℓ.

6 Keep picking random points on E until one is found with

• rder bigger than 4. Any such point with generate the cyclic

subgroup of order ℓ.

7 Check that the parameters pass the aforementioned security

properties.

8 If all is well, we can use E for cryptography! Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Generating secure Edwards curves

1 Select a random number d from Fq. 2 Let E be the Edwards curve x2 + y2 = 1 + dx2y2. 3 Let E : y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 be a

Weierstraß model for E.

4 Count the number of points on E using the SEA algorithm,

allowing a factor of 4 but “short circuiting” otherwise.

5 If SEA short circuited, start again with a different d,

• therwise we have #E(Fq) = 4ℓ for some prime ℓ.

6 Keep picking random points on E until one is found with

• rder bigger than 4. Any such point with generate the cyclic

subgroup of order ℓ.

7 Check that the parameters pass the aforementioned security

properties.

8 If all is well, we can use E for cryptography! Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Generating secure Edwards curves

1 Select a random number d from Fq. 2 Let E be the Edwards curve x2 + y2 = 1 + dx2y2. 3 Let E : y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 be a

Weierstraß model for E.

4 Count the number of points on E using the SEA algorithm,

allowing a factor of 4 but “short circuiting” otherwise.

5 If SEA short circuited, start again with a different d,

• therwise we have #E(Fq) = 4ℓ for some prime ℓ.

6 Keep picking random points on E until one is found with

• rder bigger than 4. Any such point with generate the cyclic

subgroup of order ℓ.

7 Check that the parameters pass the aforementioned security

properties.

8 If all is well, we can use E for cryptography! Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Generating secure Edwards curves

1 Select a random number d from Fq. 2 Let E be the Edwards curve x2 + y2 = 1 + dx2y2. 3 Let E : y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 be a

Weierstraß model for E.

4 Count the number of points on E using the SEA algorithm,

allowing a factor of 4 but “short circuiting” otherwise.

5 If SEA short circuited, start again with a different d,

• therwise we have #E(Fq) = 4ℓ for some prime ℓ.

6 Keep picking random points on E until one is found with

• rder bigger than 4. Any such point with generate the cyclic

subgroup of order ℓ.

7 Check that the parameters pass the aforementioned security

properties.

8 If all is well, we can use E for cryptography! Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Generating secure Edwards curves

1 Select a random number d from Fq. 2 Let E be the Edwards curve x2 + y2 = 1 + dx2y2. 3 Let E : y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 be a

Weierstraß model for E.

4 Count the number of points on E using the SEA algorithm,

allowing a factor of 4 but “short circuiting” otherwise.

5 If SEA short circuited, start again with a different d,

• therwise we have #E(Fq) = 4ℓ for some prime ℓ.

6 Keep picking random points on E until one is found with

• rder bigger than 4. Any such point with generate the cyclic

subgroup of order ℓ.

7 Check that the parameters pass the aforementioned security

properties.

8 If all is well, we can use E for cryptography! Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves

Outline Elliptic curve cryptography Secure domain parameters Case study: finding secure Edwards curves

Generating secure Edwards curves

1 Select a random number d from Fq. 2 Let E be the Edwards curve x2 + y2 = 1 + dx2y2. 3 Let E : y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 be a

Weierstraß model for E.

4 Count the number of points on E using the SEA algorithm,

allowing a factor of 4 but “short circuiting” otherwise.

5 If SEA short circuited, start again with a different d,

• therwise we have #E(Fq) = 4ℓ for some prime ℓ.

6 Keep picking random points on E until one is found with

• rder bigger than 4. Any such point with generate the cyclic

subgroup of order ℓ.

7 Check that the parameters pass the aforementioned security

properties.

8 If all is well, we can use E for cryptography! Hamish Ivey-Law Finding Cryptographically Strong Elliptic Curves