Elliptic Curve Cryptography An Introduction
Transcript of Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Elliptic Curve CryptographyAn Introduction
Dr. F. Vercauteren
Katholieke Universiteit Leuven
22 April 2008
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Cryptography
Elliptic Curves
EC Cryptographic Primitives
Pairings
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Cryptography
Cryptography provides the technical means to secureinformation in electronic form.
I Confidentiality: protection of data from unauthorizeddisclosure.
I Data integrity: assurance that data received are exactly assent by an authorized entity.
I Authentication: assurance that the communicating entity isthe one that it claims to be.
I Non-repudiation: prevents an entity from denying previouscommitments or actions.
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Symmetric Key Cryptography
PLAINTEXT
110100011100
PLAINTEXT
110100011100
CIPHERTEXT
????????????
SYMMETRIC KEY CRYPTOSYSTEM
ENCRYPTION KEY DECRYPTION KEY
=
ALICE BOB
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Public Key Cryptography
PLAINTEXT
110100011100
PLAINTEXT
110100011100
CIPHERTEXT
????????????
CIPHERTEXT
????????????
PUBLIC KEY CRYPTOSYSTEM
ENCRYPTION KEY DECRYPTION KEY
ALICE BOB
PUBLIC KEY
OF BOBPRIVATE
KEY OF BOB
PUBLIC LIST
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Factoring and Discrete Logarithm Problem
I Rivest-Shamir-Adleman (1977): RSA based on factoring.I Main idea: easy to find two large primes p and q, but very
hard to find p and q from n = p · q.I RSA still most popular public key cryptosystem.
I ElGamal (1984): discrete logarithm problem (DLP).I Group G is set with operation · and each element has
inverse.I Main idea: very easy to compute h = gx for given x , but
very hard to find x given h and g.I Popular choices: finite fields and elliptic curves.
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Diffie-Hellman Key AgreementChoose a large prime number p and a generator α mod p
Alice BobxA ∈R [1,p − 1], αxA
−αxA
−−−−−−−−→xB ∈R [1,p − 1], αxB
←αxB
−−−−−−−−−KBA = (αxB)xA KBA = (αxA)xB
I Note: all calculations mod pI Security based on Diffie-Hellman problem: given αxA andαxB compute αxAxB
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Elliptic Curves
DefinitionI Elliptic curve E over field K is defined by
y2 + a1xy + a3y = x3 + a2x2 + a4x + a6,ai ∈ K
I The set of K-rational points E(K) is defined as
E(K) = {(x , y) ∈ K×K | y2+a1xy+a3y = x3+a2x2+a4x+a6}∪{∞}
I ∞ is called point at infinity
TheoremThere exists an addition law on E and the set E(K) is a group
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Elliptic Curves over R
−8 −6 −4 −2 0 2 4 6 8
−6
−4
−2
0
2
4
6
−6 −4 −2 0 2 4 6 8
−6
−4
−2
0
2
4
6
y2 = x3 + 4x2 + 4x + 3 y2 = x3 − 7x + 6
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Addition Law on Elliptic Curves
−6 −4 −2 0 2 4 6
−4
−2
0
2
4
P ⊕ Q
Q
P
R
L′
L
−6 −4 −2 0 2 4 6
−4
−2
0
2
4
2P
P
L′
L
R
Adding two points Doubling a pointy2 = x3 − 7x + 6
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Addition Law on Elliptic CurvesBy definition: three points on a line sum to zero!
Let P1 ⊕ P2 = P3, with Pi = (xi , yi) ∈ EI If x1 = x2 and y1 + y2 + a1x2 + a3 = 0, then P1 ⊕ P2 =∞,I Else
x1 6= x2
{λ = (y2 − y1)/(x2 − x1)ν = (y1x2 − y2x1)/(x2 − x1)
x1 = x2
{λ = (3x2
1 + 2a2x1 + a4 − a1y1)/(2y1 + a1x1 + a3)ν = (−x3
1 + a4x1 + 2a6 − a3y1)/(2y1 + a1x1 + a3)
The point P3 = P1 ⊕ P2 is given by
x3 = λ2 + a1λ− a2 − x1 − x2y3 = −(λ+ a1)x3 − ν − a3
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Finite Fields
I Practical applications need exact arithmetic, soI not R since not exactI not Q since size of numbers involved grows too fast
I Consider elliptic curves over finite fields:I Fp with p prime: represented by Z mod pI F2n with 2n elements: represented by F2[X ] mod P(X ), i.e.
binary polynomials modulo an irreducible polynomial P(X )
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Elliptic Curves over Finite Fields
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22012345678910111213141516171819202122
uu
u
u
u
uuu
uu
uu
u
u
uu
u
u
uu
u
u
u
u
u
u
The elliptic curve y2 = x3 + x + 3 mod 23
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Number of Points on Elliptic Curve
I Theorem: the cardinality #E(Fq) satisfies
#E(Fq) = q + 1− t
with |t | ≤ 2√
q.I For gcd(q, t) = 1, all possibilities occur.
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Elliptic Curve DLP
I Let G be an abelian group generated by P ∈ GI Let Q = s · P, then the DLP is to compute s given P and QI Classically: G = F×qI For G = E(Fq), the DLP is called ECDLP
Note: can translate primitives based on DLP to ECDLP setting
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Security of ECDLP: General AttacksI Exhaustive search: impossible if group order > 280
I Pohlig-Hellman: suppose #E(Fq) = ps11 · p
s22 · · · p
skk , then
can reduce ECDLP to subgroups of order pi⇒ #E(Fq) should have large prime divisor p
I Pollard rho & lambda: random walk, constant space, timecomplexity is O(
√p)
Conclusion:I #E(Fq) > 2160 and divisible by large prime pI Best general attack is exponential in pI DLP in Fq is sub-exponential: Lq[1/3,b] with
LN [a,b] = O(
e(b+O(1))(ln N)a(ln ln N)1−a)
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Comparison with RSA & DSA: Security
0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000
50
100
150
200
250
300
350
400
450
500
Keylength conventional systems RSA and DSA
Key
leng
th e
llipt
ic c
urve
sys
tem
Key lengths in bits for equivalent cryptographic strength
ECDSA
RSA & DSA
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Overview
I Key Agreement PrimitivesI ECDH: EC Diffie-Hellman Secret Value DerivationI ECMQV: EC Menezes-Qu-Vanstone Secret Value
DerivationI Signature Primitives
I ECNR: EC Nyberg-Rueppel SignaturesI ECDSA: EC Digital Signature Algorithm
I Encryption PrimitivesI ECIES: EC Integrated Encryption Scheme
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
PairingsI Let G1, G2, GT be groups of prime order `. A pairing is a
non-degenerate bilinear map e : G1 ×G2 → GT .I Bilinearity:
I e(g1 + g2,h) = e(g1,h)e(g2,h),I e(g,h1 + h2) = e(g,h1)e(g,h2).
I Non-degenerate:I for all g 6= 1: ∃x ∈ G2 such that e(g, x) 6= 1I for all h 6= 1: ∃x ∈ G1 such that e(x ,h) 6= 1
I Examples:I Scalar product on vectorspace over finite fields
〈·, ·〉 : Fnq × Fn
q → Fq .
I Weil- and Tate pairings on elliptic curves and abelianvarieties.
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Pairings in cryptography
I Exploit bilinearity: original schemes G1 = G2I MOV: DLP reduction from G1 to GT
DLP in G1 : (g, xg)⇒ DLP in GT : (e(g,g),e(g,g)x)
I Decision DH easy in G1
DDH : (g,ag,bg, cg) test if e(g, cg) = e(ag,bg)
I Identity based crypto, short signatures, . . .
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Torsion subgroups
I E [`] subgroup of points of order dividing `, i.e.
E [`] = {P ∈ E(Fq) | [`]P =∞}
I Structure of E [`] for gcd(`,q) = 1 is Z/`Z× Z/`Z.I Let `|#E(Fq), then E(Fq)[`] gives at least one component.I Embedding degree: k minimal with ` | (qk − 1).I Note `-roots of unity µ` ⊆ F×qk .
I If k > 1 then E(Fqk )[`] = E [`].
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Functions and divisorsI Consider the function f = (x−1)2(x+2)
x on P1
−4 −3 −2 −1 0 1 2 3 4−25
−20
−15
−10
−5
0
5
10
15
20
I Divisor of f : (f ) = 2(P1) + (P−2)− (P0)− 2(P∞)
I Support of (f ): Supp((f )) = {P1,P−2,P0,P∞}I Given divisor (f ), function is determined up to constant.
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Miller functions
I Let P ∈ E(Fq) and n ∈ N.I A Miller function fn,P is any function in Fq(E) with divisor
(fn,P) = n(P)− ([n]P)− (n − 1)(∞)
I fn,P is determined up to a constant c ∈ F×q .I fn,P has a zero at P of order n.I fn,P has a pole at [n]P of order 1.I fn,P has a pole at∞ of order (n − 1).I For every point Q 6= P, [n]P,∞, we have fn,P(Q) ∈ F×q .
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Tate pairing
I Let P ∈ E(Fqk )[`] and f`,P ∈ Fqk (E) with
(f`,P) = `(P)− `(∞)
I Note: f`,P has zero of order ` at P and pole of order ` at∞.I Tate pairing is defined as (assuming normalisation)
〈P,Q〉` = f`,P(Q)
I Technical stuff: need to adjust domain and image
〈·, ·〉` : E(Fqk )[`]× E(Fqk )/`E(Fqk )→ F×qk/(F×qk )`
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Reduced Tate pairing
I By definition, value of 〈·, ·〉` only defined up to `-th powers.
〈·, ·〉` : E(Fqk )[`]× E(Fqk )/`E(Fqk )→ F×qk/(F×qk )`
I In practice: want unique output of the function!I Reduced Tate pairing e : E(Fqk )[`]× E(Fqk )/`E(Fqk )→ µ`
e(P,Q) = 〈P,Q〉`(qk−1)/` = f`,P(Q)(q
k−1)/`
I Tate pairing is bilinear and non-degenerate.
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Miller’s Algorithm
I Use double-add algorithm to compute fn,P for any n ∈ N.I Exploit relation:
fm+n,P = fm,P · fn,P ·l[n]P,[m]P
v[n+m]P
I l[n]P,[m]P : the line through [n]P and [m]PI v[n+m]P : the vertical line through [n + m]PI Evaluate at Q in every step
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
Conclusions
I Elliptic curves provide an alternative to RSA & DSAI No sub-exponential time algorithm to solve ECDLPI Smaller key sizes, sometimes faster than DSA & RSA,
more future proofI Typical applications: PDA’s, phones, smart cards, . . .I Examples: Blackberry, Wii, German passports, future EMVI Pairings on elliptic curves: identity based crypto, short
signatures, . . .
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
EC Digital Signature Algorithm (ECDSA)
I ECDSA is elliptic curve analog of DSAI Used to provide data origin authentication, data integrity
and non-repudiationI Standards for ECC (including ECDSA & ECIES):
I ANSI X9.62, X9.63I NIST FIPS 186-2I IEEE 1363-2000I ISO/IEC 14888-3, 9796-4, 15946I SECG
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
EC Key Pair Generation
I Domain parametersI Elliptic curve E over finite field FqI Point G ∈ E(Fq), n = ord(G) and cofactor h = #E(Fq)/n
I Private and public keyI Select random integer d in the interval [1,n − 1]I Compute Q = d ·GI Public key is Q, Private key is d
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
ECDSA Signature Generation
To sign a message m do the following:
1. Select a random integer k with 1 ≤ k ≤ n − 12. Compute k ·G = (x1, y1) and r ≡ x1 mod n. If r = 0 go to
step 13. Compute k−1 mod n4. Compute e = HASH(m)
5. Compute s ≡ k−1(e + dr) mod n. If s = 0 go to step 16. The signature for the message m is (r , s)
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
ECDSA Signature Verification
To verify a signature (r , s) on m do the following:
1. Verify that r and s are integers in the interval [1,n − 1]
2. Compute e = HASH(m)
3. Compute w ≡ s−1 mod n4. Compute u1 ≡ ew mod n and u2 ≡ rw mod n5. Compute u1 ·G + u2 ·Q = (x1, y1) and v ≡ x1 mod n6. Accept signature if and only if v = r
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction
CryptographyElliptic Curves
EC Cryptographic PrimitivesPairings
ECDSA vs. RSA: Speed (ms)
Elliptic curve over F2233
RIM pager PalmPilot Pentium IIKey Generation 1,552 2,573 3.11ECDSA Signing 1,910 3,080 4.03ECDSA Verifying 3,701 5,878 7.87
2048-bit modulusRIM pager PalmPilot Pentium II
RSA Key Generation — — 26,442RSA Signing 111,956 288,236 440.69RSA Verifying (e = 3) 1,087 2,392 4.2RSA Verifying (e = 216 + 1) 3,608 7,973 13.45
More info: Brown et al.: PGP in Constrained Wireless Devices
Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction