Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 ∈ F . Elliptic Curve Cryptography Definition 1. An elliptic curve E over a field F is a curve given by an equation: Jim Royer Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1) CIS 428/628: Introduction to Cryptography If char ( F ) � = 2, 3, then a change of variables can simplify (1) to: November 6, 2018 X 3 + a 1 X + a 2 Y 2 = (2) https://www.certicom.com/content/certicom/en/ecc-tutorial.html Elliptic Curve Cryptography Elliptic Curves Suppose F is a field and a 1 , . . . , a 6 ∈ F . 2018-11-06 Definition 1. An elliptic curve E over a field F is a curve given by an equation: Why Are Elliptic Curves Nifty? Y 2 + a 1 XY + a 3 Y X 3 + a 2 X 2 + a 4 X + a 6 = (1) If char ( F ) � = 2, 3, then a change of variables can simplify (1) to: Y 2 X 3 + a 1 X + a 2 = (2) Elliptic Curves https://www.certicom.com/content/certicom/en/ecc-tutorial.html • They played a key role in Wiles’ solution to the Fermat’s Last Theorem problem and • char ( F ) � = 2, 3 means 1 + 1 � = 0 and 1 + 1 + 1 � = 0. the solution of the Taniyama-Shimura conjecture. • We also require that 4 a 3 1 + 27 a 2 2 � = 0, • There are abelian groups hiding in these curves that are very similar to the Z ∗ p k ’s. or equivalently, x 3 + a 1 x + a 2 has distinct roots. Double roots will break the algebra below. • There are a “lot more” elliptic curves that Z ∗ p k ’s. • You can build cryptosystems based on elliptic curves that require much smaller key length (e.g., 4096 bits vs. 313 bits) for similar security. !!! However ...
Why Are Elliptic Curves Nifty? Elliptic Curve Addition Rules: Geometric, I Addition Rules (Geometric) • They played a key role in Wiles’ solution to the Fermat’s Last Theorem problem and • The curves always include a point at ∞ , where ∞ = − ∞ . the solution of the Taniyama-Shimura conjecture. ∴ The curves are really on a torus/doughnut. • The curves are symmetric around the x-axis. • There are abelian groups hiding in these curves that are very similar to the Z ∗ p k ’s. • P 1 + P 2 = P 3 . 1. Draw a line through P 1 and P 2 . • There are a “lot more” elliptic curves that Z ∗ p k ’s. (If P 1 = P 2 , use the tangent line.) 2. The line hits the curve at a unique third point Q . • You can build cryptosystems based on elliptic curves that require much smaller key 3. Let P 3 be the point symmetric to Q on the other side of the x-axis. length (e.g., 4096 bits vs. 313 bits) for similar security. ❖ Note: P 1 + ∞ = P 1 . ( ∴ ∞ acts like 0.) !!! However ... because of the small key size, and they turn out to be more vulnerable to ❖ Fact: P + Q + R = ∞ iff P , Q , and R are co-linear. quantum attacks! ❖ The addition rules don’t work for ECs with double roots. Elliptic Curve Addition Rules: Geometric, II Elliptic Curve Addition Rules: Algebraic Addition Rules (Algebraic) Suppose Y 2 = X 3 + aX + b E : = ( x 1 , y 1 ) P 1 = ( x 2 , y 2 ) P 2 Then P 1 + P 2 = P 3 = ( x 3 , y 3 ) where m 2 − x 1 − x 2 x 3 = y 3 = m · ( x 1 − x 2 ) − y 1 � ( y 2 − y 1 ) / ( x 1 − x 2 ) , if P 1 � = P 2 = m ( 3 x 3 1 + a ) / ( 2 y 1 ) if P 1 = P 2 (If m = ∞ , then P 3 = ∞ .) Picture from: https://www.certicom.com/content/certicom/en/ 21-elliptic-curve-addition-a-geometric-approach.html Facts: ( P + Q ) + R = P + ( Q + R ) and P + Q = Q + P .
Elliptic Curves mod n, I Elliptic Curves mod n, II How many points are there on an elliptic curve mod m ? Example Theorem 2 (Hasse’s Theorem). Consider: Suppose E : y 2 = x 3 + 2 x + 3 ( mod 5 ) • F q be a finite field with q elements. E = { ( x , y ) ∈ ( Z 5 × Z 5 ) ∪ { ( ∞ , ∞ ) } | y 2 ≡ x 3 + 2 x + 3 ( mod 5 ) } • E is an elliptic curve over F q with N points. = { ( 1, 0 ) , ( 2, 2 ) , ( 2, 3 ) , ( 3, 0 ) , ( 4, 2 ) , ( 4, 3 ) , ( ∞ , ∞ ) } Then | N − q − 1 | < 2 √ q, that is: Point Arithmetic : ( 1, 4 ) + ( 3, 1 ) = ? ( q − 1 ) − 2 √ q < N < ( q − 1 ) + 2 √ q Since ( 1, 4 ) � = ( 3, 1 ) : m = y 2 − y 1 ≡ 1 − 4 3 − 1 ≡ 2 · 2 − 1 ≡ 1 ( mod 5 ) i.e,, there are enough points to make trouble . x 2 − x 1 x 3 ≡ m 2 − x 1 − x 2 ≡ 1 2 − 1 − 3 ≡ 2 ( mod 5 ) Schoof’s Algorithm y 3 ≡ m · ( x 1 − x 3 ) − y 1 ≡ 1 · ( 1 − 2 ) − 4 ≡ 0 ( mod 5 ) Given E over F q , one can find | E | in O (( log 2 q ) 8 ) time. (There are faster algorithms for special cases.) ∴ ( 1, 4 ) + ( 3, 1 ) = ( 2, 0 ) . Elliptic Curves mod N, III Representing Plaintext on Elliptic Curves The Discrete Log Problem for Elliptic The Classical Discrete Log Problem Curves mod m Given: β , α , p ∋ Given: A & B points on E ∋ β ≡ α k ( mod p ) . B = k · A . Find: k . Finding Points on a Given Elliptic Curves Find: k . There is no known deterministic poly-time algorithm for this. • × : Z ∗ • k · A = def A + · · · + A in F q . p :: + :ECs ( mod p ) . However, there are reasonably fast probabilistic methods � �� � (that have a certain probability of failure). k many State of Play: The known algorithms for solving the EC-discrete log problem are even (Good news for Cryptography) worse that the ones for the classical problem. Factoring and Primality Testing with E.C.s See text.
Quick Review: Quadratic Residues Koblitz’s Method We want to solve equations like: All of the following will be public x 2 • Suppose p is a prime with p ≡ 3 ( mod 4 ) ≡ b ( mod n ) (Why?) Theorem 4. and that E : y 2 = x 3 + ax + b is the elliptic curve in question. Suppose a ∈ Z ∗ There may not be a solution. E.g., p where p is prime. • Pick K so that 1/2 K (the failure bound) is tolerably small. a is a quadratric residue mod p x 2 ≡ 3 ( mod 5 ) . iff a ( p − 1 ) /2 ≡ 1 ( mod p ) . m < p − K • Messages will be from { m ∈ Z p K } . Let m be a message. • For j = 0, . . . , K − 1: Definition 3. Proposition 5. p + 1 Suppose a ∈ Z ∗ Set x j = m · K + j & w j = x 3 p , where p is a prime. j + ax j + b & z j = w 4 ( mod p ) . j Suppose p is a prime with p ≡ 3 ( mod 4 ) . (Note: Either z 2 j = w j or z 2 • a is a quadratic residue mod p j = − w j .) (Why?) p and x = y ( p + 1 ) /4 ( mod p ) . Let y ∈ Z ∗ iff for some x : x 2 ≡ a ( mod p ) . If z 2 j = w j , then return ( x j , z j ) as the point on E encoding m . Then • QR ( p ) = the quadratic residues mod p If z 2 j = − w j , we continue a for-loop. either: y ∈ QR ( p ) with roots ± x • a ∈ ( Z ∗ 1 Probability of failure ≤ p − QR ( p )) is a nonresidue . If no j works, report failure . 2 K . (Why?) or: − y ∈ QR ( p ) with roots ± x. • If ( x , y ) on E encodes a message m , then m = ⌊ x / K ⌋ . Fact: � QR ( p ) � = p − 1 2 . The ElGamal Cryptosystem for ECs Diffie-Hellman on Elliptic Curves Classical Elliptic Curve Bob Chooses Bob Chooses E : y 2 ≡ x 3 + ax + b ( mod p ) with e points. Setup Public p , prime E ( mod p ) , p prime G , a point on E . Public α ∈ Z ∗ α ∈ E p ran a ∈ Z a ∈ Z ∈ Z ∗ Alice Chooses n a e − 1 . Private β = α a ( mod p ) β = a · α Sends n a · G to Bob. Public: p , α , β Private: a Public: E , | E | , α , β Private: a ran ∈ Z ∗ with message x with message m �→ P ∈ E Bob Chooses n b e − 1 . Private Alice Alice ran ran ∈ Z ∗ Sends n b · G to Alice. Chooses k ∈ Z p − 1 Chooses k | E |− 1 Computes: Computes: Computes K ab = n a · ( n b · G ) = n a · n b G . Alice y 1 ≡ α k ( mod p ) y 1 = k · α Computes K ab = n b · ( n a · G ) = n a · n b G . y 2 ≡ x · β k ( mod p ) Bob y 2 = P + k · β Bob Computes: Bob Computes: P = y 2 − a · y 1 x ≡ y 2 · y − a ( mod p ) Extracts m from P 1
ElGamal Signatures on ECs, I ElGamal Signatures on ECs, II Alice’s Setup Bob: Wants to verify ( m , R , s ) Chooses an EC E ( mod p ) , where p is a prime. public B = a · A Obtains p , E , n , A , and B Chooses A , a point on E . public Computes V 1 = x · B + s · R R = k · A = ( x , y ) Computes n , the number of points on E . public s = k − 1 ( m − ax ) ( mod n ) Computes V 2 = m · A Assume n > any message. Checks if V 1 = V 2 Chooses a ∈ N . private Computes B = a · A . public Why does this work? V 1 = x · B + s · R Alice: signs m = x · a · A + k − 1 · ( m − a · x ) · ( k · A ) ran = x · a · A + ( m − a · x ) · A ∈ Z ∗ Chooses k n . Computes R = k · A = ( x , y ) . = x · a · A + m · A − a · x · A Computes s ≡ k − 1 ( m − ax ) ( mod n ) . = m · A Sends ( m , R , s ) . = V 2 more. ..
Recommend
More recommend
