The ECDSA and ECQV Certificates. Scott A. Vanstone Professor of Mathematics, University of Waterloo

Transcription

1 The ECDSA and ECQV Certificates Scott A. Vanstone Professor of Mathematics, University of Waterloo 1

2 Agenda Introduction Digital Signatures Types of Signature Schemes ECDSA ECQV Composition of ECDSA and ECQV Conclusion 2

3 Certicom Background Founded the same year as ECC was invented: 1985 Incorporated in United States and Canada Employees Offices in Toronto, Ottawa, San Francisco, Washington DC, San Diego, New York, London, Stockholm, Shanghai 3

4 4 Certicom Technology Worldwide Adoption by >300 Customers

5 Certicom s Beginning Founded on sophisticated mathematics. Originally Certicom sold technology based on Diffie-Hellman key exchange in the multiplicative group of a finite field. In 1993 we moved to ECC as a differentiator over RSA and ordinary Diffie-Hellman. 5

6 Areas Where ECC is Gaining Traction Consumer electronics TVs DVD players BluRay discs Set top cable boxes ZigBee and AMI FAA Gaming EMV 6

7 Infrastucture Adoption Intel s new platforms support a number of ECC protocols. Support for both prime and binary curves Sun s new Niagara 2 chips also supports ECC for both binary and prime curves. 7

8 Research in Motion (RIM) Spin off from the University of Waterloo in One of the great Canadian success stories in our countries history. They now have somewhere between 10 and 12 thousand employees worldwide. They are passionate about security. 8

9 Recent Devlopments RIM attempted a hostile take-over of Certicom in December of This initiated a number of companies approaching Certicom about acquisition. Versign put in an offer to buy the company in January RIM increased the bid from their first offer and will now acquire Certicom. 9

10 RIM s Reasons for the Aquisition The IP portfolio The people Geographic proximity Cultural fit 10

11 Digital Signatures This is one of the major contributions of public-key cryptography to security Digital signatures provide nonrepudiation Non-repudiation is a security service that prevents an entity from denying previous commitments or actions Digital signatures provide authentication. 11

12 Digital Signatures RSA (1978) Based on integer factorization Digital Signature Standard (DSS) (1994) Based on the discrete logarithm problem in the multiplicative group of a finite field Elliptic Curve Digital Signature Algorithm (ECDSA) Based on the ECDLP (Elliptic Curve Discrete Logarithm Problem) 12

13 Types of Signature Schemes 1) Digital signatures with appendix In this case the message M, which is digitally signed is required as input to the verification algorithm. 2) Digital signatures with message recovery In this case, the message is not required for the verification algorithm. 3) Hybrid digital signatures In this case, part of the message is required for the verification algorithm. 13

14 Types of Signature Schemes 1) Deterministic: The signature mechanism does not require a random number generator. 2) Randomized: The signature mechanism requires a random number generator. Class 2 is typically referred to as Elgamal signatures. They were discovered by Tahir Elgamal in

15 Elgamal Signatures Elgamal signatures can be used to produce Signatures with appendix Signatures with message recovery Hybrid signatures In all cases Elgamal signatures require randomization. 15

16 Elliptic Curve Cryptosystems (ECC) In order to have an efficient implementation of ECC we need: 1) An efficient implementation of the finite field F q. 2) An efficient implementation of point addition and doubling on the curve. 3) An efficient implementation of scalar multiplication (i.e. kg where k is a positive integer and G is a point on the curve.) 4) An efficient implementation of the security protocol. 16

17 Elgamal Signatures The ECDSA is an example of an Elgamal Signature scheme. There are over 13,000 different Elgamal signature schemes. The random number generator is extremely important to the security of the system. 17

18 ECDSA It is the most widely standardized elliptic curve-based signature scheme. It appears in the following standards: ANSI X9.62 FIPS IEEE ISO/IEC SECG Signature scheme specified for US Government s Suite B cryptographic protocols. 18

19 ECDSA-key length comparison Cryptographic Strength Symmetric Algorithm Hash Algorithm Elliptic Curve Asymmetric Algorithms RSA/DSA/DH Asymmetric Algorithms Key Size Ratio 56 bits DES 80 bits 3DES (2 key) SHA bits 1024 bits 112 bits 3DES (3 key) SHA bits 2048 bits 128 bits * AES-128 SHA bits 3072 bits 1: bits AES-192 SHA bits 7680 bits 1: bits * AES-256 SHA bits bits 1:30 19

20 ECDSA-Suite B Purpose Algorithm Unclassified Classified Encryption AES 128 bit key 256 bit key Signatures ECDSA 256 bit curve 384 bit curve Key Exchange ECDH or ECMQV 256 bit curve 384 bit curve Hashing SHA SHA-256 SHA

21 Cryptographic Interoperability Strategy (CIS) The NSA recently introduced a new strategy. RSA and ordinary Diffie-Hellman at 2048 bits will be part of the CIS along with Suite B. Anyone who implements RSA or ordinary Diffie-Hellman will have the designation as CIS Compatible. 21

22 CIS Compliant Only those systems which implement Suite B will get the designation CIS Compliant. The designation CIS Compatible will only be supported until

23 My Thoughts on CIS A way to allow legacy equipment to obtain Government approval in the short term. The choice of words Compliant versus Compatible seems strongly to suggest that moving to Suite B is the better choice. Requiring RSA and ordinary Diffie- Hellman at 2048 bits will be onerous for many applications. 23

24 Government Migration to ECC Clearly the US Government would like companies to move to Suite B and in particular to ECC. They have set a hard stop on RSA for 2015 in terms of support. Between now and 2015 it seems likely that any new security implementations will go with Suite B. 24

25 ECDSA Domain Parameters E(F q ) is an elliptic curve over a finite field with q elements Most standards require q to be a prime number or q=2 m, m a prime number. G is an element of order n, where n is a large prime divisor of the order of the curve E(F q ) 25

26 ECDSA Generating Keys Alice needs a private key d ε[1, n-1] and a public key Q A =dg. There are three ways to do this 1) Alice generates her own d and Q A =dg 2) A trusted third party generates Alice s private and public keys 3) Alice generates her private and public keys interactively with a CA. 26

27 ECDSA Key Generation Generating ECDSA keys is very fast and efficient as compared to RSA key generation. If one needs to generate 10s or 100s of millions of key pairs then the ECDSA is the only practical and viable solution. We are hearing this from a number of different sources. This is one reason cited by EMV for moving to ECC. 27

28 ECDSA Suppose Alice wants to sign a message M. Alice has a private key d and a public key Q A =dg To sign M, Alice does the following 1) Generate a random integer k ε [1, n-1]. 2) Compute R=kG=(x,y). 3) Compute r x(mod n) 4) Compute s k -1 (h(m) + dr) (mod n). 5) The signature on M is the pair (r,s) Note: Alice needs to send (r,s) and M in order for Bob to verify the signature 28

29 ECDSA Verification Compute s -1. Compute R = s -1 H(M)G + s -1 rq A. If X(R ) = r accept the signature as valid; otherwise reject. 29

30 ECDSA Fast Verification We have found a technique which allows us to speed up ECDSA verification by up to 50%. It has long been believed that verifying Elgamal signatures is considerably slower than signature creation. With the ECDSA we can now verify almost as quickly as to sign. 30

31 ECDSA Fast Verification (cont d) E : Elliptic curve defined over a prime field F p. #E(F p ) = n, where n > p is prime. Recall: R = kp, r = x(r) mod n. Since n > p, we have r = X(R). Suppose that a single bit is appended to the signature so that Y(R) can be efficiently determined. Then verification is equivalent to: R?= u 1 G + u 2 Q; where u 1 = es -1 mod n and u 2 = rs -1 mod n. 31

32 ECDSA Fast Verification (cont d) u 1 G + u 2 Q can be computed by first finding the joint sparse form (JSF) for (u 1, u 2 ), and then use `Shamir's trick G Q If t is the bit length of n, then the expected work factor is t point doublings, and t/2 point additions. 32

33 ECDSA Fast Verification (cont d) Using the extended Euclidean algorithm, we can write u 2 = v 1 /v 2, where v 1, v 2 n. The verification equation R = u 1 G + u 2 Q is equivalent to: v 1 Q - v 2 R + u 1 v 2 G=. This can be written as v 1 Q - v 2 R + v 3 G+ v 4 G =, (*) where G = 2 t/2 G is precomputed and v 3, v 4 n. The left side of (*) can be computed by determining the JSFs for (v 1, v 2 ) and (v 3, v 4 ) and then use Shamir's trick. 33

34 ECDSA Fast Verification (cont d) The expected work factor is t/2 doublings and t/2 additions. We have saved half of the doublings previously needed. Only one point needs to be precomputed. 34

35 35 Digital Postal Marks (DPM)

36 Optimal Mail Certificates (OMC) Optimal Mail Certificates were introduced as a technology to save bandwidth and computational time in the postal environment. The mailing environment required a certificate, a public key and a digital signature. OMCs allowed us to save the space required by the certificate. 36

37 OMCs (cont d) The purpose of OMCs is to integrate the verification of an ECDSA signature with authentication of the signers public key. Do two steps in one. We are essentially composing two protocols to get Bandwidth efficiency Computational efficiency 37

38 OMC s (continued) We can replace the signature of the certification authority and the public key of the signer by a single bit string which allows a verifier to authenticate and reconstruct the public key of the signer. This bit string is essentially the same length as the public key. 38

39 How to Obtain an OMC Suppose Alice wants an OMC from a certificate provider (denoted CA) who has a private key c and a public key Q C = cg where G is the generating point on the elliptic curve. Alice generates a random integer r є (1, n-1). Alice computes R = rg. Alice sends R to the CA. 39

40 How to Obtain an OMC (continued) The CA generates a random integer k є (o,n-1) and computes P = R + kg. Next the CA computes an implicit signature s = k + H(P I A )c mod n. (This is commonly referred to as the signing equation.) H( ) is an appropriate hash function such as SHA-3. 40

41 How to Obtain an OMC (continued) The CA sends (P, I A, s) to Alice. Alice computes her private key as: a = r + s mod n. 41

42 Public Key Construction from OMC Alice s public key should be: ag = (r + s)g Bob can compute Alice s public key as: Q A = H(P I A )Q C + P where H, Q C, P and I A are all public knowledge. 42

43 Public Key Construction from OMC (continued) Now Q A = H(P I A )Q C + P = H(P I A )cg + (R + kg) = rg + (k + H(P, I A )c)g = (r + s)g = ag as required. 43

44 Security of ECDSA and OMCs After many years of study we are confident that the ECDSA is secure and that OMCs are secure. When we combine the two into a single computation the result is a completely insecure digital signature. 44

45 An Attack Let the private key of the Certificate Authority (CA) be the integer c and the public key be Q C as before. Let I A be the identity of Alice. Eve wants to forge Alice s signature on a message M without knowing Alice s private key. Eve does the following: 45

46 Forgeries Select a random integer f and compute r = X(fQ C ) where X(Q C ) is the X-coordinate of fq C. The implicit certificate P is chosen to be P = -H(M)r -1 G. Compute s = rf -1 H(P I A ) (mod n). Alice s forged signature on message M is (r,s) and Alice s forged implicit certificate is P. 46

47 The Forged Signature Verifies Bob proceeds to verify the forged signature. Bob knows (r,s), M, I A and the OMC certificate P associated with Alice. Bob also knows the public key of the CA. Bob does the following: 47

48 Verification (cont d) Compute s -1. Compute U = s -1 (H(M)G + rq A ) = s -1 H(M)G + s -1 r(h(p I A )Q C + P) = s -1 H(M)G + s -1 rh(p I A )Q C H(M)G s -1 rr -1. = s -1 rh(p I A )Q C = (rf -1 H(P I A )) -1 rh(p I A )Q C = fq C 48

49 Verification (cont d) Since r = X(fQ C ) the signature verifies as one signed by Alice. Eve, without knowledge of Alice s private key, has created a signature for a message M, which Bob can verify as legitimate. 49

50 Attack Prevention One could add a check to see if X(fQ C )P = -H(M)G If this is true then with high probability a forgery has occurred. Unfortunately, this check does not fix the problem. 50

51 Generalizing the Attack The next few slides show that we can generalize the previous attack and show that the generalization is not detectable. The previous attack, although interesting, could be detected with a simple scalar multiplication. 51

52 Generalizing the Attack The forger selects integers d and f є (0,n). The forger computes r = X(fQ C ) P = dq C H(M)G/(r) (The implicit certificate) s = (d + (H(P I A )r)/(f) 52

53 Note The first attack is a very special case of the generalization. If one takes d = 0 you get the first attack. 53

54 Let s Check That This is a Forgery Recall that ECDSA verification is done as follows: Bob computes s -1. Bob computes R = s -1 (H(M)G + rq A ) (mod n) With OMC we have R = s -1 (H(M)G + r(p + H(P I A) Q C )) = s -1 (H(M)G + r(dc- (H(M)G)/r + H(P I A ) Q C ) 54

55 Generalized Attack (continued) R = s -1 (rd Q C + r H(P I A ) Q C ) = (f(rd Q C + r H(P I A ) Q C ))/(dr+ H(P I A )r) = fq C X(R ) = X(fQ C) )= r. Accept Note: For arbitrary choices of d and f, these forgeries are undetectable. 55

56 ECQV CA Key Q C = cg Request R = rg Implicit Certificate P = R + kg Implicit Signature s = c + H(P I A )k Private Key a = s + H(P I A )r Public Key Q A = Q C + H(P I A )P 56

57 Note The only difference between OMCs and ECQV certificates is the implicit signature equation. For OMCs the signing equation is s = k + H(P I A )c For ECQV the signing equation is s = c + H(P I A )k 57

58 ECQV and ECDSA ECQV when composed with the ECDSA does not have the problems that we have shown the OMC has. 58

59 Conclusion ECQV certificates are ideally suited for very constrained environments. They have been standardized and are being used as part of the ZigBee security solution. Certicom offers ECQV certificate. 59