ECE578/7 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve...
-
date post
21-Dec-2015 -
Category
Documents
-
view
215 -
download
0
Transcript of ECE578/7 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve...
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #1
ECE578:Cryptography
7: Elliptic Curve Cryptographic Systems
Professor Richard A. Stanley, P.E.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #2
Last time…
• Elliptic curves may be useful for obtaining keys to use in asymmetric cryptography
• ECC numbers are an order of magnitude smaller than RSA numbers for equivalent levels of security…we think!
• Elliptic curves must meet certain requirements to be useful
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #3
ECC Drawbacks
• Not as well studied as RSA and DL-base public-key schemes
• Conceptually more difficult.
• Finding secure curves in the set-up phase is computationally expensive
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #4
Elliptic Curve Definition
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #5
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #6
Objective
• Goal: Finding a (cyclic) group (G, o) so that we can use the DL problem as a one-way function.
• We have a set (points on the curve). We “only” need a group operation on the points.
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #7
Abelian Groups
• An abelian group, also called a commutative group, is a group (G, * ) with the additional property that the group operation * is commutative, so that for all a and b in G, a * b = b * a
• Every cyclic group G is abelian
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #8
Elliptic Curves
• An elliptic curve is a plane curve defined by an equation of the form y2 = x3 + ax + b
• The set of points on such a curve (i.e., all solutions of the equation together with a point at infinity) can be shown to form an abelian group
• If the x and y are chosen from a large finite field, the solutions form a finite abelian group
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #9
Why Bother?
• For asymmetric cryptosystems, multiplication on elliptic curves can be used instead of exponentiation in finite fields
• Key sizes seem to increase only linearly for increased security, not exponentially
• Might this be useful in dealing with issues of computational complexity?
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #10
Elliptic Curve Cryptography
Symmetric Key Size
RSA and Diffie-Hellman Key Size
Elliptic Curve Key Size
bits bits bits
80 1024 160
112 2048 224
128 3072 256
192 7680 384
256 15360 512
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #11
Elliptic Curve Cryptography
Security Level Computation Ratiobits DH Cost : EC Cost80 3:1
112 6:1128 10:1192 32:1256 64:1
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #12
Diffie-Hellman Key Exchange-1
• Alice and Bob agree on a large prime, n and g, where g is primitive mod n. These need not be kept secret
• Alice chooses a large random integer x and sends to Bob: X=gx mod n
• Bob chooses a large random integer y and sends to Alice: Y=gy mod n
• NB: x and y are never transmitted
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #13
Diffie-Hellman Key Exchange-2• Alice computes k=Yx mod n• Bob computes k’=Xy mod n• But k = k’ = gxy mod n • Therefore, Bob and Alice now have a secret
key, k, that they can share for communications
• Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #14
Diffie-Hellman Security
• D-H security depends on the difficulty of factoring large numbers (size of n)
• It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search
• Caveats– n must be large
– ((n-1)/2) should also be prime
– g can be small -- even one digit
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #15
Diffie-Hellman Key Exchange (ECC)
• The cryptosystem is completely analogous to D-H in Z*
p
• Setup– Choose E: y2 = x3 + ax + b mod p
– Choose primitive element α = (xα; yα)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #16
Protocol
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #17
Security
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #18
Attacks
• Only possible attacks against elliptic curves are the Pohlig-Hellman scheme together with Shank's algorithm or Pollard's-Rho method– #E must have one large prime factor pl
– 2160 pl 2250.
• So-called “Koblitz curves" (curves with a; b { 0; 1}• For supersingular elliptic curves over GF(2n), DL in elliptic
curves can be solved by solving DL in GF(2kn); k 6– stay away from supersingular curves despite of possible
faster implementations.• Powerful index-calculus method attacks are not yet applicable
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #19
Menezes-Vanstone Encryption
• Set-up:
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #20
Encryption
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #21
Decryption
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #22
Disadvantage
• Message expansion factor:
• Which means?
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #23
Implementation
• Hardware:– Approximately 0.2 msec for an elliptic curve
point multiplication with 167 bits on an FPGA
• Software:– One elliptic curve point multiplication aP in
less than 10 msec over GF(2155).– Implementation on 8-bit smart card processor
without coprocessor available
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #24
ElGamal Encryption Scheme
• Published in 1985
• Based on the DL problem in Z*p or GF(2k)
• Extension of the D-H key exchange for encryption
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #25
El Gamal Protocol
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #26
Setup
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #27
Encryption
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #28
Decryption
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #29
How Does It Work?
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #30
Remarks
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #31
Computational Aspects
• Encryption
• Decryption
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #32
Efficiency Issues
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #33
Efficiency (con’t.)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #34
Security of ElGamal
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #35
Security of El Gamal (con’t.)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #36
Summary - ECC
• Elliptic curves can be used to produce elements in a finite field that are:– More efficient to generate– More difficult to reconstruct with partial data
• For equivalent security, the key sizes needed with ECC increase linearly; for RSA, they increase exponentially
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #37
Next: The Advanced Encryption Standard (AES)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #38
Why a New Crypto Standard?
• DES now vulnerable to brute force key search
• 3DES still viable option, but key management a problem
• Implementation speeds in software disappointing
• Need to have national crypto standard even more critical than in the 1970’s
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #39
Basic Facts about AES
• Successor to DES• AES selection process was administered by NIST• Unlike DES, the AES selection was an open (i.e., public)
process• Likely to be the dominant secret-key algorithm in the next
decade• Main AES requirements by NIST:
– Block cipher with 128 I/O bits– Three key lengths must be supported: 128/192/256 bits– Security relative to other submitted algorithms– Efficient software and hardware implementations
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #40
Chronology of the AES Process
• Development announced on January 2, 1997 by the National Institute of Standards and Technology (NIST)
• 15 candidate algorithms accepted on August 20th, 1998• 5 finalists announced August 9th, 1999
– Mars, IBM Corporation– RC6, RSA Laboratories– Rijndael, J. Daemen & V. Rijmen– Serpent, Eli Biham et al.– Twofish, B. Schneier et al.
• October 2nd, 2000, NIST chooses Rijndael as the AES
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #41
Comparison of Contenders
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #42
Blowfish
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #43
Twofish
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #44
Rijndael Overview
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #45
Block Size/Key Length
• Both block size and keylength of Rijndael are variable. Sizes shown below are the ones required by the AES Standard. The number of rounds (or iterations) is a function of the key length:
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #46
Rijndael vs. AES
• AES utilizes a subset of Rijndael capabilities
• Rijndael allows block sizes of 192 and 256 bits, but AES does not permit these larger block sizes
• If larger block sizes are used, the number of rounds must be increased
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #47
Important
• Rijndael does not have a Feistel structure
• Feistel networks do not encryptan entire block per iteration (e.g., in DES, 64/2 = 32 bits are encrypted in one iteration)
• Rijndael encrypts all 128 bits in one iteration. As a consequence, Rijndael has a comparablysmall number of rounds
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #48
Rijndael Structure
• Rijndael is a substitution-permutation network
• Rijndael uses three different types of layers
• Each layer operates on all 128 bits of a block
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #49
Rijndael Layers
• Key Addition Layer: XORing of subkey.• Byte Substitution Layer: 8-by-8 SBox
substitution.• Diffusion Layer: provides diffusion over all
128 (or 192 or 256) block bits. It is split in two sub-layers:– ShiftRow Layer– MixColumn Layer
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #50
Operations
• ByteSubstitution Layer introduces confusion with a non-linear operation.
• ShiftRow and MixColumn stages form a linear Diffusion Layer
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #51
Rijndael Block
Diagram (encryption)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #52
A Walk Through Rijndael
• One must be very careful when using Wikipedia references. However, this one has been vetted and is accurate as at today:
• http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
• We’ll look at the description of how Rijndael works in some detail
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #53
Affine Transformation
• Mapping between two vector spaces consisting of a linear transformation followed by a translation: X Ax + b
• Preserves:– Co linearity between points, i.e., three points
which lie on a line continue to be collinear after the transformation
– Ratios of distances along a line
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #54
Another View of Byte Substitution
• Splits the incoming 128 bits into 128/8 = 16 bytes.
• Each byte A is considered an element of GF(28) and undergoes the following substitution individually:
B = A-1 GF(28) where P(x) = x8 + x4 + x3 + x + 1
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #55
Byte Substitution Affine Transformation
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #56
All About C
• The vector C = (c7 ··· c0) (representing the field element c7x7 + ··· + c1x + c0) is the result of the substitution:
C = ByteSub(A)• The entire substitution can be realized as a look-up
in a 256x8-bit table with fixed entries• Unlike DES, Rijndael applies the same S-Box to
each byte
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #57
Diffusion Layer
• Unlike the non-linear substitution layer, the diffusion layer performs a linear operationon input words A,B. That means: DIFF(A) DIFF(B) = DIFF(A + B)
• The diffusion layer consists of two sublayers:– ShiftRow SubLayer– MixColumn SubLayer
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #58
ShiftRow SubLayer - 1
• Write an input word A as 128/8 = 16 bytes and order them in a square array:
• Input A = (a0, a1, …, a15)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #59
ShiftRow SubLayer – 2
• Shift cyclically row-wise as follows:
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #60
MixColumn SubLayer
• Principle: each column of 4 bytes is individually transformed into another column
• How? Each 4-byte column is considered as a vector and multiplied by a 4x4 matrix. The matrix contains constant entries. Multiplication and addition of the coecients is done in GF(28)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #61
MixColumn SubLayer Matrices
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #62
Rijndael Keys
• Analogous to DES, the key provided with AES is a seed key, which is processed within the system to produce round keys
• The procedure to generate separate round keys from the seed key is known as the Rijndael key schedule
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #63
Key Addition Layer
• Simple bitwise XOR with a 128-bit subkey
• AES (Rijndael) uses a key schedule to expand a short key into a number of separate round keys. This is known as the Rijndael key schedule.
• http://en.wikipedia.org/wiki/Rijndael_key_schedule
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #64
Rijndael Thoughts
• FIPS PUB 197 is the official standard
• Based on what you have seen of how encryption proceeds, can decryption proceed in the same way as for DES?
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #65
Rijndael Block
Diagram (decryption)
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #66
Rijndael Decryption
• Unlike DES and other Feistel ciphers, all of the Rijndael layers must actually be inverted
• How can this be accomplished?
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #67
AES Uses in Defense Systems
• DES and 3DES were never allowed for transmitting classified information
• CNSS Policy #15, FS-1, June 2003 states that AES may be used for classified information, subject to FIPS 140-2– SECRET at all key lengths– TOP SECRET at key lengths of 192 or 256
• Issues/problems?
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #68
Attacks on AES?
• What did you find in your homework?
• Do any of these seem plausible?
• What about in 10-20 years?
• AES has been criticized as being too algebraically deterministic. Your thoughts?
Spring 2008© 2000-2008, Richard A. Stanley
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #69
AES Summary
• AES uses a subset of the capabilities of the Rijndael algorithm
• AES is becoming widely used, and is the default in many common applications
• A change from many of its predecessors, AES is a substitution-permutation network
• AES decryption requires a decryption engine to invert the encryption transforms
Spring 2010© 2000-2010, Richard A. Stanley
ECE578/7 #70
Homework
• Read Stinson, Chapter 3.6
• Research the topic of elliptic curve cryptography. Choose a cryptosystem and describe its advantages and disadvantages. Is it in wide use? Why or why not?
• Some researchers have reported breaking AES. Find one or more of these claims and evaluate its significance or lack thereof.