Introduction to Elliptic Curve Cryptography
description
Transcript of Introduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve Cryptography
CSCI 5857: Encoding and Encryption
Outline
• Encryption as points on elliptic curves in space• Elliptic curves and modular arithmetic• Mathematical operations on elliptic curves• Elliptic curve Diffie-Hellman• Elliptic curve Elgamal• Security and speed of elliptic curve cryptography
Elliptic Curve Mathematics• General mathematical form (Weierstraus equation):
y2 = x3 + ax + b
For some a, b (curve parameters)
Elliptic Curve Encryption• Encryption:
Transforming points on curve (P, KPU) into other point on same curve (C)
• Main idea (Abelian group): Need a definition of “+” so that “sum” of two points on a curve is also on the same curve
R = P + Q where P = (xP, yP) Q = (xQ, yQ) R = (xR, yR)
Elliptic Curve Addition Cases
• Case 1: R based on line formed by P, Q (xP ≠ xQ, yP ≠ yQ)
Equations:• = (yQ – yP) / (xQ – xP) • xR = 2 – xP – xQ
• yR = (xP – xR) – yP
Elliptic Curve Addition Cases
• Case 2: P = Q, R based on tangent to curve (xP = xQ, yP = yQ)
Equations:• xR = ((3xP
2 + a) / 2yP)2 - 2xP
• yR = ((3xP2 + a) / 2yP)2(xP – xR) – yP
Elliptic Curve Addition Cases
• Case 3: P = -Q, line does not intercept curve (xP = xQ, yP ≠ yQ)
• R = “0” (additive identity)– Point at infinity– 0 = -0
Elliptic Curves over Zp
• Encryption requires modular arithmetic– Must be difficult to recover original points from R.– Modular arithmetic prevents “working backward”, as in
RSA
• Define “curve” as Ep(a, b) where p is the modulus, a, b are the coefficients of y2 = x3 + ax + b
• Looking for (x, y) such that y2 = (x3 + ax + b) mod p
– Note: “points” on curve are integers
Finding Points on a Zp Curve
• Points on elliptic curve y2 = x3 + x + 1 for GF(13):– Must find integer values for x, y < 13 such that
(y2) mod 13 = (x3 + x + 1) mod 13
x = 0: y2 mod 13 = 1 mod 13 y = 1
y = 1, 12 (-1 mod 13 = 12)
x = 1: y2 mod 13 = 3 mod 13 y = 4 (16 mod 13 = 3) y = 4, 9
Finding Points on a Zp Curve
Note: Not all values of x have a corresponding y
x = 2: y2 mod 13 = 11 mod 13 No solution for y (Can test all y < 13)
x = 3: y2 mod 13 = 31 mod 13 = 5 No solution for y (Can test all y < 13)
x = 4: y2 mod 13 = 69 mod 13 = 4 y = 2 y = 2, 11
Finding Points on a Zp Curve
• Points on elliptic curve y2 = x3 + x + 1 over GF(13):
Elliptic Curve Mathematics
• Computing (xR, yR) = (xP, yP) + (xQ, yQ) – Necessary to turn 2 points corresponding to key,
plaintext into point corresponding to ciphertext
• Use same rules for “+” as curves in space
• Main ideas:– Addition/subtraction/multiplication in mod p– Division = multiplication by inverse mod p
Example: (4, 2) + (10, 6) on E13(1, 1)
• step 1: compute = (yQ – yP) / (xQ – xP) = (6 – 2) x (10 – 4)-1 mod 13 = 4 x 6-1 mod 13 6-1 mod 13 = 11
= 4 x 11 mod 13 = 5
• step 2: compute xR = 2 – xP – xQ
xR = 25 – 4 – 10 mod 13 = 11
• step 3: compute yR = (xP – xR) – yP
yR = 5 x (4 – 11) – 2 mod 13 = 2
(4, 2) + (10, 6) = (11, 2) note: also on curve!
Multiplication on an Elliptic Curve
• Multiplication = addition multiple times– Necessary for some forms of elliptic curve cryptography– Must use formula where P = Q for first addition
• Example: 3 x (1, 4) on E13(1, 1)
3 x (1, 4) = ((1, 4) + (1, 4)) + (1, 4) = (8, 1) + (1, 4) = (1, 9)
Elliptic Curve Encryption
• Generally based on using elliptic curves in place of exponentiation in existing public key algorithm
• Examples: –Elliptic Curve Diffie-Hellman–Elliptic Curve Elgamal
Elliptic Curve Diffie-Hellman
• Alice and Bob agree on global parameters:– Ep(a, b): Elliptic curve mod p (prime) with
parameters a and b– G : “Generator” point on that elliptic curve
• For all points R on the curve, there exists some n such that G n = R
– Example: P = 211 Ep(0, -4) the curve y2 = x3 - 4 G = (2, 2)
Elliptic Curve Diffie-Hellman
• Alice and Bob select own private x and y• They each generate a public R1 and R2 as
R1 = x G and R2 = y G • They exchange these values
• Example: x = 121 R1 = 121 (2, 2) = (115, 48) y = 203 R2 = 203 (2, 2) = (130, 203)
(115, 48)
(130, 203)
Elliptic Curve Diffie-Hellman
• Alice and Bob generate the same key kAlice: k = R2 x
Bob: k = R1 y • Proof: R2 x = (G y) x
R1 y = (G x) y • Example:
121 (130, 203) = 203 (115, 48) = (161, 69)
Elliptic Curve Elgamal
Generating public and private keys:• Bob chooses an Ep(a, b) for an elliptic curve in Zp
• Bob chooses a point (x1, y1) on that curve• Bob chooses a secret integer multiplier d < p• Bob computes a second point (x2, y2) on the curve as
(x2, y2) = d (x1, y1)
• public key: the values p, a, and b that define the curve the two points (x1, y1) and (x2, y2)
• private key: the multiplier d
Elliptic Curve Elgamal
Encryption:• Alice selects a point P on Ep(a, b) that corresponds to
the plaintext message she wishes to send• Alice selects a random multiplier r• Alice creates the ciphertext as two points on the
curve:
C1 = r (x1, y1) C2 = P + r (x2, y2)
Elliptic Curve Elgamal
Decryption:• Bob computes the plaintext as: P = C2 – (d C1))
• Why does this work?
P = C2 – (d C1)) = (P + r (x2, y2) ) – (d r (x1, y1) )) = (P + d r (x1, y1) ) – (d r (x1, y1) )) = P
Security and Speed
• Why is this secure?– Same type of inverse modular problem
(elliptic curve logarithm problem)
– No simple way to determine d from (x1, y1) and
(x2, y2) without trying all possible values
– Computationally secure as long as p large enough to prevent this (2160 for example)
Security and Speed
• Why is this fast?– Only uses addition and multiplication –
no exponents!
– Smaller key sizes • 160 bit ECC key equivalent to 1024 bit RSA key