Muchtadi
-
Upload
niranjan-patidar -
Category
Education
-
view
84 -
download
1
Transcript of Muchtadi
![Page 1: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/1.jpg)
Elliptic Curve Weak Class Identification for the
Security of Cryptosystem
Intan Muchtadi, Ahmad Muchlis and Fajar Yuliawan
Algebra Research Group, Institut Teknologi Bandung (ITB),
Indonesia
![Page 2: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/2.jpg)
Elliptic Curve In 1985 both Koblitz and Miller
independently suggested the use of Elliptic Curves in the development of a new type of public key cipher.
An Elliptic Curve is a simple equation of the form:
y2 = x3 +ax+b
a,b in F of characteristic p 2,3 and 4a3 + 27b2 0
![Page 3: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/3.jpg)
Elliptic curvey2 = x3 − x
![Page 4: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/4.jpg)
y2 = x3 − ½x + ½
![Page 5: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/5.jpg)
y2 = x3 − 4/3x + 16/27
![Page 6: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/6.jpg)
Elliptic curve over F23
0123456789
101112131415161718192021222324
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
y2 = x3 + x + 1
![Page 7: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/7.jpg)
Elliptic Curve Addition
P+Q
P
Q
![Page 8: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/8.jpg)
Multiples in Elliptic Curves 1
The interest in Elliptic Curve Addition is
the process of adding a point to itself. That is given a point P find the point P+P or 2P.This is done by drawing a line tangent to P and
reflecting the point at which it intercepts the curve
P can be added to itself k times resulting in a point W = kP.
![Page 9: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/9.jpg)
Multiples in Elliptic Curves 1
P+P = 2P
P
![Page 10: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/10.jpg)
Multiples in Elliptic Curves 2
Finding the value of 3P:
3P
P
P+P = 2P
![Page 11: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/11.jpg)
Discrete Logarithm Problem
1. A and B agree on a finite group G and some fixed element g.
2. A selects an integer x at random and transmits b = gx to B.
3. B selects an integer y at random and transmits c = gy to A.
4. A determines k = cx , B determines k = by , k is then used as the secret key.
![Page 12: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/12.jpg)
Elliptic Curve Cryptography
Based on the discrete logarithm problem applied to Abelian group E(Fp) formed by the points of an elliptic curve over a finite field
E(Fp)={(x,y)(Fp)²:y²=x³+ax+b}{O}
![Page 13: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/13.jpg)
Elliptic Curve Cryptosystem There are several ways in which the ECDLP
can be imbedded in a cipher system. One method begins by selecting an Elliptic
Curve and a point P on the curve and a secret number d which will be the private key.
The public key is P and Q where Q = dP A message is encrypted by converting the
plaintext into a number m, selecting a random number k, and finding a point M on the curve where the difference of the x and the y co-ordinates equals m.
the ciphertext consists of two points on the curve:
(C1,C2) = (kP, M + kQ)
![Page 14: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/14.jpg)
Decipher
The secret key, d is used to decipher the ciphertextMultiply the first point by d and subtract
the result from the second point:
M = C2-dC1= M+kQ –dkP= M + kdP - dkP
![Page 15: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/15.jpg)
Elliptic Curve Security
The security of the Elliptic Curve algorithm is based on the fact that it is very difficult (as difficult as factoring) to solve the Elliptic Curve Discrete Logarithm Problem:
Given two points P and Q where Q = kP, find the value of k
![Page 16: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/16.jpg)
Imaginary Quadratic Orders
![Page 17: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/17.jpg)
Maximal Orders and Non-maximal Orders
If Δ is squarefree, then OΔ is the maximal order of the quadratic number field Q(√Δ) and Δ is called a fundamental discriminant.
The non-maximal order of conductor p>1 with (non-fundamental) discriminant Δp=Δp² is denoted by OΔp. Assume that the conductor p is prime.
Let IΔ = The group of invertible OΔ-ideals and PΔ = The set of principal OΔ-ideals. The class group of OΔ = Cl(Δ) = IΔ/PΔ is a finite
abelian group with neutral element OΔ The class number of OΔ = h(Δ) = | Cl(Δ)|.
![Page 18: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/18.jpg)
Imaginary Quadratic Orders
In 1988 Buchmann and William use the class groups of imaginary quadratic orders Cl for the construction of cryptosystem.
![Page 19: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/19.jpg)
Reducing the DLP
Huhnlein et al showed that for totally non-maximal imaginary quadratic orders (i.e., h =1), the DLP can be reduced to the DLP in some finite field.
![Page 20: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/20.jpg)
Problem
Can we find a condition for elliptic curves such that the DLP for those curves can be reduced to the DLP of some finite fields?
![Page 21: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/21.jpg)
The 1st Relation
If E is an elliptic curve over Fq, then endomorphism ring of E is an imaginary quadratic order O if and only if |E(Fq)| ≠ q+1.
Moreover, there exists a O such that |E(Fq)| = q + 1 – ( + ), where is the conjugate of , and is the Frobenius endomorphism
(x,y) = (xq,yq) for all (x,y) E(Fq).
![Page 22: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/22.jpg)
Consequence
If q satisfies 4q=m²-Δn², for some m,nZ, then =±(m+n√Δ)/2,
As ²-t +q=0, we get t = + =±m. Therefore |E(Fq)| = q +1 ± m If m=1, then |E(Fq)| = q or q+2. The case |E(Fq)|=q is
cryptographycally weak We consider the case where |E(Fq)|
=q+2.
![Page 23: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/23.jpg)
The Result: Reducing the ECDLP
Main Theorem Let q be a prime satisfies 4q=1-Δn²,
for some nZ, such that p=q+2 is also a prime, and let E be an elliptic curve over Fq with |E(Fq)|=p.
Then the DLP in E(Fq) can be reduced to the DLP in Fp² as additive group.
![Page 24: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/24.jpg)
The method in [Huhnlein et al]
![Page 25: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/25.jpg)
The 2nd Relation
![Page 26: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/26.jpg)
Auxiliary Result
![Page 27: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/27.jpg)
The proof
E(Fq) O /(-1) O
O /pO Fp2
given G and PE(Fq) with P=[m]G, compute the corresponding elements +(π-1) O and +(π-
1) O O /(-1) O compute the corresponding +pO and +pO O /pO compute the corresponding elements in Fp² Then compute the discrete logarithm there or determine
that it does not exist.
![Page 28: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/28.jpg)
Conclusion
For q a prime satisfies 4q=1-Δn², for some nZ, such that p=q+2 is also a prime, the ECDLP in E(Fq) whose order is p can be reduced to the DLP in finite field of order p² as additive group.
![Page 29: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/29.jpg)
Question of Existence
How to construct such cryptographically weak curves.
Answer By using the construction of
anomalous elliptic curves (i.e. where |E(Fq)|=q).
![Page 30: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/30.jpg)
Recall
If q satisfies 4q=m²-Δn², for some m,nZ, then =±(m+n√Δ)/2,
As ²-t +q=0, we get t = + =±m.
Therefore |E(Fq)| = q +1 ± m If m=1, then |E(Fq)| = q or q+2.
![Page 31: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/31.jpg)
Construction of Anomalous Curves (based on [Leprevost et al])
Step 1 : Choose < 0 a fundamental
discriminant of an imaginary quadratic field K = Q() such that order of K has class number 1. {-3, -4, -7, -8, -11, -19, -43, -67, -163}
[Cox, Theorem 7.30]
![Page 32: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/32.jpg)
Step 1(contd)
Choose an odd prime q such that4q = 1- n2 for an integer n.
We can show that1. - 3 mod 8 ( {-3, -11, -19, -43,
-67, -163} )2. q = - u(u+1)+ (- +1)/4 for some
integer u
![Page 33: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/33.jpg)
Step 2
OK = O=Z[( + )/2
Let j(OK) be the j-invariant of OK. For class number = 1 the j-invariant is given as following
[Cox, p.261]
j(Ok)
-3 0
-11 -323
-19 -963
-43 -9603
-67 -52803
-163
-6403203
![Page 34: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/34.jpg)
Step 3
Choose an elliptic curve over L=K(j(OK)) with j-invariant j0 = j(OK) : Since j(E) = 1728(4a3/(4a3+27b2)), then
we can chooseE: y2 = x3 + ax + b
where a=3j0/(1728-j0) and b=2j0/(1728-j0)
![Page 35: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/35.jpg)
Step 4
Reduce E toE : y2 = x3 + [a]x + [b]
over Fq We can show that |E(Fq)|{q,q+2} If |E(Fq)|=q+2, a prime, then we’re
done.
![Page 36: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/36.jpg)
Step 5
If |E(Fq)|=q, defineE’:y2=x3+d2[a]x+d3[b],
where d Fq a non-quadratic element. |E’(Fq)| = q+2 If q+2 is prime, then we’re done.
![Page 37: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/37.jpg)
Problem
It’s not easy to find a prime q such that 4q = 1- n2 for an integer n q+2 is also a prime
![Page 38: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/38.jpg)
Example
For = -11 dan u = 257 743 850 762 632 419 871 495,
q = 11u(u + 1) +(11+1)/4= 730 750 818 665 451 459 112 596 905
638 433 048 232 067 471 723
j(OK)=-323
![Page 39: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/39.jpg)
Example (contd)
E: y2 = x3 + ax + b a= 3(-323)/(1728-(-323)) =425 706 413 842 211 054 102 700 238
164 133 538 302 169 176 474 b= 2(-323)/(1728-(-323)) = 527 387 882 116 624 522 439 332 460
655 566 708 278 801 941 557
![Page 40: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/40.jpg)
Example(contd)
#E(Fq) = q+2BUT
q + 2 = 730 750 818 665 451 459 112 596 905 638 433 048 232 067 471 725= 33 x 52 x 4217 x 20 016 645 573 637x 2413 234 030 223 5314 x607 504 832
341
is not a prime
![Page 41: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/41.jpg)
Twin Prime Conjecture
There are infinitely many primes q such that q + 2 is also prime.
![Page 42: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/42.jpg)
Next?
Find examples of “weak curves”, i.e twin primes that satisfy the condition in the Main Theorem.
Does the result in this work have any relevance to the ECDLP for elliptic curves whose endomorphism ring is a totally non-maximal order?
![Page 43: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/43.jpg)
References
[1] H.Baier (2002), Efficient algorithms for generating elliptic curves over finite fields suitable for use in cryptography, PhD Dissertation.
[2] I. F. Blake, G. Seroussi, and N. P. Smart (2000), Elliptic curves in cryptography, volume 265 of London Mathematical Society Lecture Note Series,Cambridge University Press, Cambridge.
[3] I. F. Blake, G. Seroussi, and N. P. Smart (2005), Advances in elliptic curve cryptography, volume 317 of London Mathematical Society Lecture Note Series, Cambridge University Press, Cambridge.
[4]J.Buchmann dan H.C.Williams (1988), A key exchange system based on imaginary quadratic field, Journal of Cryptology, 1, 107-118.
![Page 44: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/44.jpg)
References (contd)
[5] J. Buchmann (2004), Introduction to cryptography, Springer.
[6] H. Cohen and G. Frey (2006), Handbook of elliptic and hyper elliptic curve cryptography, Hall and Chapman, Taylor and Francis Group.
[7] D. A. Cox (1989), Primes of the forms x2 + ny2, John Wiley and Sons, New York.
[8] W. Diffie and M. Hellman (1976), New directions in cryptography, IEEE Transactions on Information Theory, 22, 472-492.
[9] A. Enge (2001), Elliptic curves and their applications to cryptography : an introduction, Kluwer Academic Publishers.
[10] D.Hankerson, A.J. Menezes, S. Vanstone (2004), Guide to elliptic curve cryptography, Springer-Verlag, New York.
![Page 45: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/45.jpg)
References (contd)
[11] D.Huhnlein, M.J. Jacobson, S. Paulus and T.Takagi (1998), A cryptosystem based on non-maximal imaginary quadratic order with fast decryption, in Advances in Cryptology, LNCS 1403, Springer, 294-307.
[12] D.Huhnlein, M.J. Jacobson, D. Weber (2003), Towards Practical Non-Interactive Public-Key Cryptosystems Using Non-Maximal Imaginary Quadratics Orders, Designs, Codes and Cryptography, 30, Issue 3, 281-299.
[13] D.Huhnlein, T.Takagi (1999), Reducing logarithms in totally non-maximal imaginary quadratic orders to logarithms in nite elds, ASIACRYPT, 219-231.
[14] N.Koblitz (1987), Elliptic curve cryptosystem, Mathematics of Computation 48, 203-209.
![Page 46: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/46.jpg)
References (contd)
[15] H.W.Lenstra (1996), Complex multiplication structure of elliptic curves, Journal of Number Theory, 56, No. 2, 227-241.
[16] F. Leprevost, J.Monnerat, S. Varrette, S.Vaudenay (2005), Generating anomalous elliptic curves, Information Processing Letters, 93, 225-230.
[17] K. S. McCurley (1988), A Key Distribution System Equivalent to Factoring, Journal of Cryptology 1, 95-105.
[18] V.S. Miller (1986), Use of elliptic curve in cryptography, in Advances in Cryptology - CRYPTO '85, Springer-Verlag, LNCS 218, 417-426.
[19] J.H. Silverman (1986), The arithmetic of elliptic curves, Springer-Verlag, NewYork.
[20] L.C. Washington (2008) Elliptic curves, number theory and cryptography,Chapman and Hall/CRC, Taylor and Francis Group.
![Page 47: Muchtadi](https://reader035.fdocuments.in/reader035/viewer/2022062709/5591398c1a28ab14498b479c/html5/thumbnails/47.jpg)
Thank you