Elliptic Curve Cryptography

Similar documents
Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Implementation of Elliptic Curve Digital Signature Algorithm

Table of Contents. Bibliografische Informationen digitalisiert durch

ECE 842 Report Implementation of Elliptic Curve Cryptography

Elements of Applied Cryptography Public key encryption

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

CIS 5371 Cryptography. 8. Encryption --

Cryptography and Network Security Chapter 10

Elliptic Curve Cryptography

Cryptography and Network Security

Public Key Cryptography. Performance Comparison and Benchmarking

Overview of Public-Key Cryptography

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Computer Security: Principles and Practice

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Notes on Network Security Prof. Hemant K. Soni

Network Security. Chapter 2 Basics 2.2 Public Key Cryptography. Public Key Cryptography. Public Key Cryptography

Public Key Cryptography and RSA. Review: Number Theory Basics

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, Notes on Algebra

The Mathematics of the RSA Public-Key Cryptosystem

Public Key (asymmetric) Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

SECURITY IMPROVMENTS TO THE DIFFIE-HELLMAN SCHEMES

Blinding Self-Certified Key Issuing Protocols Using Elliptic Curves

Pertinent Side Channel Attacks on Elliptic Curve Cryptographic Systems

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Public Key Cryptography. c Eli Biham - March 30, Public Key Cryptography

A SOFTWARE COMPARISON OF RSA AND ECC

Mathematics of Internet Security. Keeping Eve The Eavesdropper Away From Your Credit Card Information

NEW DIGITAL SIGNATURE PROTOCOL BASED ON ELLIPTIC CURVES

ALGORITHM DESIGN OF SECURE DATA MESSAGE TRANSMISSION BASED ON OPENSSL AND VPN

Final Exam. IT 4823 Information Security Administration. Rescheduling Final Exams. Kerberos. Idea. Ticket

Public Key Cryptography: RSA and Lots of Number Theory

Lecture 6 - Cryptography

A Survey of the Elliptic Curve Integrated Encryption Scheme

Software Implementation of Gong-Harn Public-key Cryptosystem and Analysis

CSCE 465 Computer & Network Security

CS 758: Cryptography / Network Security

Analyzing the Point Multiplication Operation of Elliptic Curve Cryptosystem over Prime Field for Parallel Processing

RSA and Primality Testing

The application of prime numbers to RSA encryption

Cryptography and Network Security: Summary

Implementing Network Security Protocols

CS549: Cryptography and Network Security

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

Lukasz Pater CMMS Administrator and Developer

Review of methods for secret sharing in cloud computing

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

SFWR ENG 4C03 - Computer Networks & Computer Security

Signature Schemes. CSG 252 Fall Riccardo Pucella

Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

IMPLEMENTATION AND PERFORMANCE ANALYSIS OF ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM

CRYPTOG NETWORK SECURITY

Introduction. Digital Signature

Public Key Cryptography Overview

A New Efficient Digital Signature Scheme Algorithm based on Block cipher

A new probabilistic public key algorithm based on elliptic logarithms

An Introduction to Cryptography as Applied to the Smart Grid

Computer and Network Security

A Java implementation of the Elliptic Curve Integrated Encryption Scheme

2. Cryptography 2.4 Digital Signatures

Schnorr Signcryption. Combining public key encryption with Schnorr digital signature. Laura Savu, University of Bucharest, Romania

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

THE ADVANTAGES OF ELLIPTIC CURVE CRYPTOGRAPHY FOR WIRELESS SECURITY KRISTIN LAUTER, MICROSOFT CORPORATION

CRYPTOGRAPHY IN NETWORK SECURITY

Study of algorithms for factoring integers and computing discrete logarithms

On Factoring Integers and Evaluating Discrete Logarithms

LUC: A New Public Key System

Digital Signature. Raj Jain. Washington University in St. Louis

A Factoring and Discrete Logarithm based Cryptosystem

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

A New Generic Digital Signature Algorithm

Discrete logarithms within computer and network security Prof Bill Buchanan, Edinburgh Napier

SECURITY IN NETWORKS

Advanced Cryptography

CRYPTOGRAPHY AND NETWORK SECURITY

Computer Science A Cryptography and Data Security. Claude Crépeau

Module: Applied Cryptography. Professor Patrick McDaniel Fall CSE543 - Introduction to Computer and Network Security

A Question of Key Length

Number Theory. Proof. Suppose otherwise. Then there would be a finite number n of primes, which we may

EXAM questions for the course TTM Information Security June Part 1

Lecture 9: Application of Cryptography

Crittografia e sicurezza delle reti. Digital signatures- DSA

Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 Phone: 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

A NOVEL STRATEGY TO PROVIDE SECURE CHANNEL OVER WIRELESS TO WIRE COMMUNICATION

Smart card implementation of a digital signature scheme for Twisted Edwards curves

Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths

Cryptography and Network Security Chapter 9

EXAM questions for the course TTM Information Security May Part 1

Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (Revised)

An Introduction to the RSA Encryption Method

CS 348: Computer Networks. - Security; 30 th - 31 st Oct Instructor: Sridhar Iyer IIT Bombay

Communications security

Part VII. Digital signatures

Cryptography Lecture 8. Digital signatures, hash functions

Transcription:

Elliptic Curve Cryptography Introduction Computations on Elliptic Curves The Elliptic Curve Diffie-Hellman Protocol Security Aspects Implementation in Software and Hardware

Motivation Problem: Asymmetric schemes like RSA and Elgamal require exponentiations in integer rings and fields with parameters of more than 1000 bits. High computational effort on CPUs with 32-bit or 64-bit arithmetic Large parameter sizes critical for storage on small and embedded Motivation: Smaller field sizes providing equivalent security are desirable Solution: Elliptic Curve Cryptography uses a group of points (instead of integers) for cryptographic schemes with coefficient sizes of 160-256 bits, reducing significantly the computational effort.

Computations on Elliptic Curves Elliptic curves are polynomials that define points based on the (simplified) Weierstraß equation: y 2 = x 3 + ax + b for parameters a,b that specify the exact shape of the curve On the real numbers and with parameters a, b R, an elliptic curve looks like this à Elliptic curves can not just be defined over the real numbers R but over many other types of finite fields. Example: y 2 = x 3 3x+3 over R

Computations on Elliptic Curves (ctd.) In cryptography, we are interested in elliptic curves module a prime p: Definition: Elliptic Curves over prime fields The elliptic curve over Z p, p>3 is the set of all pairs (x,y) Z p which fulfill y 2 = x 3 + ax + b mod p together with an imaginary point of infinity θ, where a,b Z p and the condition 4a 3 +27b 2 0 mod p. Note that Z p = {0,1,, p -1} is a set of integers with modulo p arithmetic

Computations on Elliptic Curves (ctd.) Some special considerations are required to convert elliptic curves into a group of points In any group, a special element is required to allow for the identity operation, i.e., given P E: P + θ = P = θ + P This identity point (which is not on the curve) is additionally added to the group definition This (infinite) identity point is denoted by θ Elliptic Curve are symmetric along the x-axis Up to two solutions y and -y exist for each quadratic residue x of the elliptic curve For each point P =(x,y), the inverse or negative point is defined as -P =(x,-y) P -P θ point at infinity

Computations on Elliptic Curves (ctd.) Generating a group of points on elliptic curves based on point addition operation P+Q = R, i.e., (x P,y P )+(x Q,y Q ) = (x R,y R ) Geometric Interpretation of point addition operation Draw straight line through P and Q; if P=Q use tangent line instead Mirror third intersection point of drawn line with the elliptic curve along the x-axis Elliptic Curve Point Addition and Doubling Formulas Point Addition x 3 = s 2 x 1 x 2 mod p and y 3 = s(x 1 x 3 ) y 1 mod p Point Doubling where y2 y1 mod p x2 x1 s = 2 3x1 + a mod p 2y1 ; if P Q (point addition) ; if P = Q (point doubling) =P+P

Computations on Elliptic Curves (ctd.) Example: Given E: y 2 = x 3 +2x+2 mod 17 and point P=(5,1) Goal: Compute 2P = P+P = (5,1)+(5,1)= (x 3,y 3 ) 3 2y 2 x + a 1 s = = (2 1) 1 (3 5 2 + 2) = 2 1 9 9 9 13 mod 17 1 x 3 = s 2 x 1 x 2 = 13 2 5 5 = 159 6 mod 17 y 3 = s(x 1 x 3 ) y 1 = 13(5 6) 1= 14 3 mod 17 Finally 2P = (5,1) + (5,1) = (6,3)

Computations on Elliptic Curves (ctd.) The points on an elliptic curve and the point at infinity θ form cyclic subgroups 2P = (5,1)+(5,1) = (6,3) 11P = (13,10) 3P = 2P+P = (10,6) 12P = (0,11) 4P = (3,1) 13P = (16,4) 5P = (9,16) 14P = (9,1) 6P = (16,13) 15P = (3,16) 7P = (0,6) 16P = (10,11) 8P = (13,7) 17P = (6,14) 9P = (7,6) 18P = (5,16) 10P = (7,11) 19P = θ This elliptic curve has order #E = E = 19 since it contains 19 points in its cyclic group. θ P

Number of Points on an Elliptic Curve How many points can be on an arbitrary elliptic curve? Consider previous example: E: y 2 = x 3 +2x+2 mod 17 has 19 points However, determining the point count on elliptic curves in general is hard But Hasse s theorem bounds the number of points to a restricted interval Definition: Hasse s Theorem: Given an elliptic curve module p, the number of points on the curve is denoted by #E and is bounded by p+1-2 p #E p+1+2 p Interpretation: The number of points is close to the prime p Example: To generate a curve with about 2 160 points, a prime with a length of about 160 bits is required

Elliptic Curve Discrete Logarithm Problem Cryptosystems rely on the hardness of the Elliptic Curve Discrete Logarithm Problem (ECDLP) Definition: Elliptic Curve Discrete Logarithm Problem (ECDLP) Given a primitive element P and another element T on an elliptic curve E. The ECDL problem is finding the integer d, where 1 d #E such that P + P + + P = dp = T. d times Cryptosystems are based on the idea that d is large and kept secret and attackers cannot compute it easily If d is known, an efficient method to compute the point multiplication dp is required to create a reasonable cryptosystem Known Square-and-Multiply Method can be adapted to Elliptic Curves The method for efficient point multiplication on elliptic curves: Double-and-Add Algorithm

Double-and-Add Algorithm for Point Multiplication Double-and-Add Algorithm Input: Elliptic curve E, an elliptic curve point P and a scalar d with bits d i Output: T = d P Initialization: T = P Algorithm: FOR i = t 1 DOWNTO 0 T = T +T mod n IF d i = 1 T = T +P mod n RETURN (T) Example: 26P = (11010 2 )P = (d 4 d 3 d 2 d 1 d 0 ) 2 P. Step #0 P = 1 2 P inital setting #1a P+P = 2P = 10 2 P DOUBLE (bit d 3 ) #1b 2P+P = 3P = 10 2 P+1 2 P = 11 2 P ADD (bit d 3 =1) #2a 3P+3P = 6P = 2(11 2 P) = 110 2 P DOUBLE (bit d 2 ) #2b no ADD (d 2 = 0) #3a 6P+6P = 12P = 2(110 2 P) = 1100 2 P DOUBLE (bit d 1 ) #3b 12P+P = 13P = 1100 2 P+1 2 P = 1101 2 P ADD (bit d 1 =1) #4a 13P+13P = 26P = 2(1101 2 P) = 11010 2 P DOUBLE (bit d 0 ) #4b no ADD (d 0 = 0)

The Elliptic Curve Diffie-Hellman Key Exchange (ECDH) Given a prime p, a suitable elliptic curve E and a point P=(x P,y P ) The Elliptic Curve Diffie-Hellman Key Exchange is defined by the following protocol: Alice Choose k PrA = a {2, 3,, #E-1} Compute k PubA = A = ap = (x A,y A ) A B Bob Choose k PrB = b {2, 3,, #E-1} Compute k PubB = B = bp = (x B,y B ) Compute ab = T ab Compute ba = T ab Joint secret between Alice and Bob: T AB = (x AB, y AB ) Proof for correctness: Alice computes ab=a(bp)=abp Bob computes ba=b(ap)=abp since group is associative One of the coordinates of the point T AB (usually the x-coordinate) can be used as session key (often after applying a hash function)

The Elliptic Curve Diffie-Hellman Key Exchange (ECDH) (ctd.) The ECDH is often used to derive session keys for (symmetric) encryption One of the coordinates of the point T AB (usually the x-coordinate) is taken as session key Alice Bob Choose k PrA = a {2, 3,, #E-1} Compute k PubA = A = ap = (x A,y A ) A B Choose k PrB = b {2, 3,, #E-1} Compute k PubB = B = bp = (x B,y B ) ECDH Compute ab = T ab = (x T,y T ) Compute ba = T ab = (x T,y T ) Define key k AES = x T Given a message m: Encrypt c = AES kaes (m) Define key k AES = x T Received ciphertext c: Decrypt m = AES -1 kaes (c) In some cases, a hash function (see next chapters) is used to derive the session key c Symmetric encryption/decryption

Security Aspects Why are parameters signficantly smaller for elliptic curves (160-256 bit) than for RSA (1024-3076 bit)? Attacks on groups of elliptic curves are weaker than available factoring algorithms or integer DL attacks Best known attacks on elliptic curves (chosen according to cryptographic criterions) are the Baby-Step Giant-Step and Pollard-Rho method Complexity of these methods: on average, roughly ECDLP can be successfully solved p steps are required before the Implications to practical parameter sizes for elliptic curves: An elliptic curve using a prime p with 160 bit (and roughly 2 160 points) provides a security of 2 80 steps that required by an attacker (on average) An elliptic curve using a prime p with 256 bit (roughly 2 256 points) provides a security of 2 128 steps on average

Implementations in Hardware and Software Elliptic curve computations usually regarded as consisting of four layers: Basic modular arithmetic operations are computationally most expensive Group operation implements point doubling and point addition Point multiplication can be implemented using the Double-and-Add method Upper layer protocols like ECDH and ECDSA Most efforts should go in optimizations of the modular arithmetic operations, such as Protocol (ECDSA) Point Multiplication (k P) Group Operation P+Q, 2 P Modular Arithmetic ( +, -, x, ) Modular addition and subtraction Modular multiplication Modular inversion

Implementations in Hardware and Software Software implementations Optimized 256-bit ECC implementation on 3GHz 64-bit CPU requires about 2 ms per point multiplication Less powerful microprocessors (e.g, on SmartCards or cell phones) even take significantly longer (>10 ms) Hardware implementations High-performance implementations with 256-bit special primes can compute a point multiplication in a few hundred microseconds on reconfigurable hardware Dedicated chips for ECC can compute a point multiplication even in a few ten microseconds

Lessons Learned Elliptic Curve Cryptography (ECC) is based on the discrete logarithm problem. It requires, for instance, arithmetic modulo a prime. ECC can be used for key exchange, for digital signatures and for encryption. ECC provides the same level of security as RSA or discrete logarithm systems over Z p with considerably shorter operands (approximately 160 256 bit vs. 1024 3072 bit), which results in shorter ciphertexts and signatures. In many cases ECC has performance advantages over other public-key algorithms. ECC is slowly gaining popularity in applications, compared to other public-key schemes, i.e., many new applications, especially on embedded platforms, make use of elliptic curve cryptography.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information