Quick Review: Quadratic Residues Koblitzs Method We want to solve - - PowerPoint PPT Presentation

SLIDE 1

Elliptic Curve Cryptography

Jim Royer

CIS 428/628: Introduction to Cryptography

November 6, 2018

Elliptic Curves

Suppose F is a field and a1, . . . , a6 ∈ F.

Definition 1.

An elliptic curve E over a field F is a curve given by an equation: Y2 + a1XY + a3Y = X3 + a2X2 + a4X + a6 (1) If char(F) = 2, 3, then a change of variables can simplify (1) to: Y2 = X3 + a1X + a2 (2)

https://www.certicom.com/content/certicom/en/ecc-tutorial.html

Elliptic Curves

Suppose F is a field and a1, . . . , a6 ∈ F. Definition 1. An elliptic curve E over a field F is a curve given by an equation: Y2 + a1XY + a3Y = X3 + a2X2 + a4X + a6 (1) If char(F) = 2, 3, then a change of variables can simplify (1) to: Y2 = X3 + a1X + a2 (2) https://www.certicom.com/content/certicom/en/ecc-tutorial.html

2018-11-06

Elliptic Curve Cryptography Elliptic Curves

• char(F) = 2, 3 means 1 + 1 = 0 and 1 + 1 + 1 = 0.
• We also require that 4a3

1 + 27a2 2 = 0,

• r equivalently, x3 + a1x + a2 has distinct roots.

Double roots will break the algebra below.

Why Are Elliptic Curves Nifty?

• They played a key role in Wiles’ solution to the Fermat’s Last Theorem problem and

the solution of the Taniyama-Shimura conjecture.

• There are abelian groups hiding in these curves that are very similar to the Z∗

pk’s.

• There are a “lot more” elliptic curves that Z∗

pk’s.

• You can build cryptosystems based on elliptic curves that require much smaller key

length (e.g., 4096 bits vs. 313 bits) for similar security.

!!! However ...

SLIDE 2

Why Are Elliptic Curves Nifty?

• They played a key role in Wiles’ solution to the Fermat’s Last Theorem problem and

the solution of the Taniyama-Shimura conjecture.

• There are abelian groups hiding in these curves that are very similar to the Z∗

pk’s.

• There are a “lot more” elliptic curves that Z∗

pk’s.

• You can build cryptosystems based on elliptic curves that require much smaller key

length (e.g., 4096 bits vs. 313 bits) for similar security.

!!! However ... because of the small key size, and they turn out to be more vulnerable to

quantum attacks!

Elliptic Curve Addition Rules: Geometric, I

Addition Rules (Geometric)

• The curves always include a point at ∞, where ∞ = −∞.

∴ The curves are really on a torus/doughnut.

• The curves are symmetric around the x-axis.
• P1 + P2 = P3.
• 1. Draw a line through P1 and P2.

(If P1 = P2, use the tangent line.)

• 2. The line hits the curve at a unique third point Q.
• 3. Let P3 be the point symmetric to Q on the other side of the x-axis.

❖ Note: P1 + ∞ = P1. (∴ ∞ acts like 0.) ❖ Fact: P + Q + R = ∞ iff P, Q, and R are co-linear. ❖ The addition rules don’t work for ECs with double roots.

Elliptic Curve Addition Rules: Geometric, II

Picture from: https://www.certicom.com/content/certicom/en/ 21-elliptic-curve-addition-a-geometric-approach.html

Elliptic Curve Addition Rules: Algebraic

Addition Rules (Algebraic)

Suppose E : Y2 = X3 + aX + b P1 = (x1, y1) P2 = (x2, y2) Then P1 + P2 = P3 = (x3, y3) where x3 = m2 − x1 − x2 y3 = m · (x1 − x2) − y1 m =

• (y2 − y1)/(x1 − x2),

if P1 = P2 (3x3

1 + a)/(2y1)

if P1 = P2 (If m = ∞, then P3 = ∞.)

Facts: (P + Q) + R = P + (Q + R) and P + Q = Q + P.

SLIDE 3

Elliptic Curves mod n, I

Example

Consider: E : y2 = x3 + 2x + 3 (mod 5) E = { (x, y) ∈ (Z5 × Z5) ∪ { (∞, ∞) } | y2 ≡ x3 + 2x + 3 (mod 5) } = { (1, 0), (2, 2), (2, 3), (3, 0), (4, 2), (4, 3), (∞, ∞) } Point Arithmetic: (1, 4) + (3, 1) = ? Since (1, 4) = (3, 1): m = y2 − y1 x2 − x1 ≡ 1 − 4 3 − 1 ≡ 2 · 2−1 ≡ 1 (mod 5) x3 ≡ m2 − x1 − x2 ≡ 12 − 1 − 3 ≡ 2 (mod 5) y3 ≡ m · (x1 − x3) − y1 ≡ 1 · (1 − 2) − 4 ≡ 0 (mod 5)

∴ (1, 4) + (3, 1) = (2, 0). Elliptic Curves mod n, II

How many points are there on an elliptic curve mod m?

Theorem 2 (Hasse’s Theorem).

Suppose

• Fq be a finite field with q elements.
• E is an elliptic curve over Fq with N points.

Then |N − q − 1| < 2√q, that is: (q − 1) − 2√q < N < (q − 1) + 2√q i.e,, there are enough points to make trouble.

Schoof’s Algorithm

Given E over Fq, one can find |E| in O((log2 q)8) time. (There are faster algorithms for special cases.)

Elliptic Curves mod N, III

The Classical Discrete Log Problem

Given: β, α, p ∋ β ≡ αk (mod p). Find: k.

The Discrete Log Problem for Elliptic Curves mod m

Given: A & B points on E ∋ B = k · A. Find: k.

• k · A =def A + · · · + A
• k many

in Fq.

• × : Z∗

p :: + :ECs (mod p).

State of Play: The known algorithms for solving the EC-discrete log problem are even worse that the ones for the classical problem. (Good news for Cryptography)

Factoring and Primality Testing with E.C.s

See text.

Representing Plaintext on Elliptic Curves

Finding Points on a Given Elliptic Curves

There is no known deterministic poly-time algorithm for this. However, there are reasonably fast probabilistic methods (that have a certain probability of failure).

SLIDE 4

Quick Review: Quadratic Residues

We want to solve equations like: x2 ≡ b (mod n) There may not be a solution. E.g., x2 ≡ 3 (mod 5).

Definition 3.

Suppose a ∈ Z∗

p, where p is a prime.

• a is a quadratic residue mod p

iff for some x: x2 ≡ a (mod p).

• QR(p) = the quadratic residues mod p
• a ∈ (Z∗

p − QR(p)) is a nonresidue.

Fact: QR(p) = p−1

2 .

Theorem 4.

Suppose a ∈ Z∗

p where p is prime.

a is a quadratric residue mod p iff a(p−1)/2 ≡ 1 (mod p).

Proposition 5.

Suppose p is a prime with p ≡ 3 (mod 4). Let y ∈ Z∗

p and x = y(p+1)/4 (mod p).

Then either: y ∈ QR(p) with roots ±x

• r: −y ∈ QR(p) with roots ±x.

Koblitz’s Method

All of the following will be public

• Suppose p is a prime with p ≡ 3 (mod 4)

(Why?) and that E : y2 = x3 + ax + b is the elliptic curve in question.

• Pick K so that 1/2K (the failure bound) is tolerably small.
• Messages will be from { m ∈ Zp

m < p−K

K }. Let m be a message.

• For j = 0, . . . , K − 1:

Set xj = m · K + j & wj = x3

j + axj + b & zj = w

p+1 4

j

(mod p). (Note: Either z2

j = wj or z2 j = −wj.) (Why?)

If z2

j = wj, then return (xj, zj) as the point on E encoding m.

If z2

j = −wj, we continue a for-loop.

If no j works, report failure. Probability of failure ≤

1 2K .

(Why?)

• If (x, y) on E encodes a message m, then m = ⌊x/K⌋.

The ElGamal Cryptosystem for ECs

Classical Elliptic Curve Bob Chooses Bob Chooses p, prime E (mod p), p prime α ∈ Z∗

p

α ∈ E a ∈ Z a ∈ Z β = αa (mod p) β = a · α Public: p, α, β Private: a Public: E, |E|, α, β Private: a Alice with message x Alice with message m → P ∈ E Chooses k

ran

∈ Zp−1 Chooses k

ran

∈ Z∗

|E|−1

Computes: Computes: y1 ≡ αk (mod p) y1 = k · α y2 ≡ x · βk (mod p) y2 = P + k · β Bob Computes: Bob Computes: P = y2 − a · y1 x ≡ y2 · y−a

1

(mod p) Extracts m from P

Diffie-Hellman on Elliptic Curves

Setup E : y2 ≡ x3 + ax + b (mod p) with e points. Public G, a point on E. Public Alice Chooses na

ran

∈ Z∗

e−1.

Private Sends na · G to Bob. Bob Chooses nb

ran

∈ Z∗

e−1.

Private Sends nb · G to Alice. Alice Computes Kab = na · (nb · G) = na · nbG. Bob Computes Kab = nb · (na · G) = na · nbG.

SLIDE 5

ElGamal Signatures on ECs, I

Alice’s Setup

Chooses an EC E (mod p), where p is a prime. public Chooses A, a point on E. public Computes n, the number of points on E. public Assume n > any message. Chooses a ∈ N. private Computes B = a · A. public

Alice: signs m

Chooses k

ran

∈ Z∗

n.

Computes R = k · A = (x, y). Computes s ≡ k−1(m − ax) (mod n). Sends (m, R, s).

• more. ..

ElGamal Signatures on ECs, II

Bob: Wants to verify (m, R, s)

Obtains p, E, n, A, and B B = a · A Computes V1 = x · B + s · R R = k · A = (x, y) Computes V2 = m · A s = k−1(m − ax) (mod n) Checks if V1 = V2 Why does this work? V1 = x · B + s · R = x · a · A + k−1 · (m − a · x) · (k · A) = x · a · A + (m − a · x) · A = x · a · A + m · A − a · x · A = m · A = V2