Elliptic Curve Cryptography for those who are afraid of maths

Elliptic Curve Cryptographyfor those who are afraid of math(s)

Martijn Grooten, Virus Bulletin@martijn_grooten

BSides San Francisco, 29 February 2016

Disclaimer:

This talk will be useless.

Disclaimer:

This talk will be useless.

I am not a cryptographer.

Disclaimer:

This talk will be useless.

I am not a cryptographer.

Some things are wrong.

Elliptic curves

y2 = x3 + a·x + b

Elliptic curves

y2 = x3 + a·x + b

…and a prime number p.

Elliptic curves

y2 = x3 + a·x + b

…and a prime number p.

choice!

points

points≈numbers

P Q

P Q

P Q

P Q

P+Q

P Q

P+Q

“point addition”

P

P

P

P

P+P

P

2·P

P

“point doubling”2·P

P

2·P

P

2·P

P

2·P

2·P+P

P

2·P

3·P

P

2·P

3·P4·P

P

2·P

3·P4·P

5·P

P

2·P

3·P

“(integer) multiplication”6·P

4·P

5·P

So:

So:We can “add” points to each other.

So:We can “add” points to each other.

We can “multiply” points by an integer.

So:We can “add” points to each other.

We can “multiply” points by an integer.P + Q = Q + P3·P + P = 2·P + 2·P = 4·P5·(7·P) = 7·(5·P)etc.

So:We can “add” points to each other.

We can “multiply” points by an integer.P + Q = Q + P3·P + P = 2·P + 2·P = 4·P5·(7·P) = 7·(5·P)etc.

The points on a curve form an Abelian Group (very exciting!).

From P to 100·P in eight steps

From P to 100·P in eight steps

To go from a point P to 100·P :

From P to 100·P in eight steps

To go from a point P to 100·P :P → 2·P 2·P → 3·P 3·P → 6·P 6·P → 12·P

12·P → 24·P 24·P → 25·P 25·P → 50·P 50·P → 100·P

“Division” is very slow

“Division” is very slow

Given points P and Q, where Q=n·P, the best way to find the number n is to try P, 2·P, 3·P, etc. That is very slow.

“Division” is very slow

Given points P and Q, where Q=n·P, the best way to find the number n is to try P, 2·P, 3·P, etc. That is very slow.

The Discrete Logarithm Problem for elliptic curves.

ECDH (Elliptic Curve Diffie-Hellman)

ECDH (Elliptic Curve Diffie-Hellman)

The challenge: Alice and Bob want to “agree” on a secret key over a public channel.

ECDH (Elliptic Curve Diffie-Hellman)

The challenge: Alice and Bob want to “agree” on a secret key over a public channel.

For example: Alice is a web browser, Bob a web server and they want to exchange a key to encrypt a TLS session.

ECDH (Elliptic Curve Diffie-Hellman)

Alice and Bob have agreed (publicly!) on an elliptic curve and a point P on the curve.

ECDH (Elliptic Curve Diffie-Hellman)

Alice and Bob have agreed (publicly!) on an elliptic curve and a point P on the curve.

Alice chooses secret large random number a.

ECDH (Elliptic Curve Diffie-Hellman)

Alice and Bob have agreed (publicly!) on an elliptic curve and a point P on the curve.

Alice chooses secret large random number a.Bob chooses secret large random number b.

ECDH (Elliptic Curve Diffie-Hellman)

ECDH (Elliptic Curve Diffie-Hellman)

Alice computes a·P (a times the point P) and shares the answer with Bob.

ECDH (Elliptic Curve Diffie-Hellman)

Alice computes a·P (a times the point P) and shares the answer with Bob.Bob computes b·P and shares this too.

ECDH (Elliptic Curve Diffie-Hellman)

Alice computes a·P (a times the point P) and shares the answer with Bob.Bob computes b·P and shares this too.

Alice computes a·(b·P) (a times the point Bob gave her).

ECDH (Elliptic Curve Diffie-Hellman)

Alice computes a·P (a times the point P) and shares the answer with Bob.Bob computes b·P and shares this too.

Alice computes a·(b·P) (a times the point Bob gave her).Bob computes b·(a·P).

ECDH (Elliptic Curve Diffie-Hellman)

Alice computes a·P (a times the point P) and shares the answer with Bob.Bob computes b·P and shares this too.

Alice computes a·(b·P) (a times the point Bob gave her).Bob computes b·(a·P). Secret key: a·(b·P) = b·(a·P)

ECDH (Elliptic Curve Diffie-Hellman)

Homework: find ECDH in Wireshark

Random number generators

Random number generators

True randomness

Random number generators

True randomness

Random number generators

True randomness

Random number generators

True randomness

output

Random number generators

True randomness

output

Random number generators using ECC

Discrete Logarithm Problem:n → n·P

gives “random” points/numbers.

Random number generators using ECC

Discrete Logarithm Problem:n → n·P

gives “random” points/numbers.

n0

Random number generators using ECC

Discrete Logarithm Problem:n → n·P

gives “random” points/numbers.

n0 n1

n0·P

Random number generators using ECC

Discrete Logarithm Problem:n → n·P

gives “random” points/numbers.

n0 n1 n2

n0·P n1·P

Random number generators using ECC

Discrete Logarithm Problem:n → n·P

gives “random” points/numbers.

n0 n1 n2

n0·P n1·P n2·P

Random number generators using ECC

Discrete Logarithm Problem:n → n·P

gives “random” points/numbers.

n0 n1 n2

n0·P n1·P n2·P

n1 n2

Random number generators using ECC

Discrete Logarithm Problem:n → n·P

gives “random” points/numbers.

n0 n1 n2

n0·P n1·P n2·P

n1 n2

n1·P

Random number generators using ECC

Given: elliptic curve with two points P and Q.

Random number generators using ECC

n0

Given: elliptic curve with two points P and Q.

32-byte seed

Random number generators using ECC

n0 n1

Given: elliptic curve with two points P and Q.

n0·P

32-byte seed

Random number generators using ECC

n0 n1

Given: elliptic curve with two points P and Q.

n0·P

n1·Q32-byte seed

30 bytes

Random number generators using ECC

n0 n1 n2

Given: elliptic curve with two points P and Q.

n0·P n1·P

n1·Q32-byte seed

30 bytes

Random number generators using ECC

n0 n1 n2

Given: elliptic curve with two points P and Q.

n0·P n1·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

Random number generators using ECC

n0 n1 n2

Given: elliptic curve with two points P and Q.

n0·P n1·P n2·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

Random number generators using ECC

n0 n1 n2

Given: elliptic curve with two points P and Q.

n0·P n1·P n2·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

Note: ideas from this slide and the next are borrowed from Bernstein, Heninger and Lange (NCSC ‘14).

Random number generators using ECC

Fact: P=d·Q for some (large) number d.

Random number generators using ECC

n0 n1 n2

Fact: P=d·Q for some (large) number d.

n0·P n1·P n2·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

Random number generators using ECC

n0 n1 n2

Fact: P=d·Q for some (large) number d.

n0·P n1·P n2·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

216 possibilities

Random number generators using ECC

n0 n1 n2

Fact: P=d·Q for some (large) number d.

n0·P n1·P n2·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

216 possibilities r1

Random number generators using ECC

n0 n1 n2

Fact: P=d·Q for some (large) number d.

n0·P n1·P n2·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

216 possibilities r1

d·r1

Random number generators using ECC

n0 n1 n2

Fact: P=d·Q for some (large) number d.

n0·P n1·P n2·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

216 possibilities r1

d·r1

n2 = n1·P = n1(d·Q)

Random number generators using ECC

n0 n1 n2

Fact: P=d·Q for some (large) number d.

n0·P n1·P n2·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

216 possibilities r1

d·r1

n2 = n1·P = n1(d·Q)

= d·(n1·Q)

Random number generators using ECC

n0 n1 n2

Fact: P=d·Q for some (large) number d.

n0·P n1·P n2·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes

216 possibilities r1

d·r1

n2 = n1·P = n1(d·Q)

= d·(n1·Q)

= d·r1

So who, if anyone, knows d?

So who, if anyone, knows d?

So who, if anyone, knows d?

“Dual_EC_DRBG”

So who, if anyone, knows d?

“Dual_EC_DRBG”

NB: this RNG is bad for many otherreasons!

What happened at Juniper?

What happened at Juniper?

Juniper used Dual_EC_DRBG (in ScreenOS) but with different P, Q.

What happened at Juniper?

Juniper used Dual_EC_DRBG (in ScreenOS) but with different P, Q.

In theory that is OK, but…

What happened at Juniper?

Juniper used Dual_EC_DRBG (in ScreenOS) but with different P, Q.

In practice… Oops.

In theory that is OK, but…

Anything else up their sleeve?

Anything else up their sleeve?

The widely used curves (P-256 etc.) use “unexplained” constants. We can't exclude that they weren't chosen to create a backdoor.

Anything else up their sleeve?

The widely used curves (P-256 etc.) use “unexplained” constants. We can't exclude that they weren't chosen to create a backdoor.

There probably isn't such a backdoor, but we should aim for “nothing up my sleeve” constants (e.g. Curve25519).

Suggested reading

"A Riddle Wrapped in an Enigma"by Neal Koblitz and Alfred J. Menezes

http://eprint.iacr.org/2015/1018.pdf

ECC: a good idea?

Elliptic curve cryptography is a good idea because we can do with much smaller keys.

ECC: a good idea?

Elliptic curve cryptography is a good idea because we can do with much smaller keys.

256-bit ECC ≈ 3072-bit RSA.

ECC: a good idea?

Elliptic curve cryptography is a good idea because we can do with much smaller keys.

256-bit ECC ≈ 3072-bit RSA.

Elliptic curve crypto uses complicated maths. That is its biggest weakness.

Thank you!

@martijn_grootenmartijn.grooten@virusbtn.com

www.virusbulletin.com

PS “How Broken Is Our Crypto Really?” 3 March, 8:00am, room 2005 @ RSA.

Thank you!

@martijn_grootenmartijn.grooten@virusbtn.com

www.virusbulletin.com

PS “How Broken Is Our Crypto Really?” 3 March, 8:00am, room 2005 @ RSA.