Embed Size (px)
Citation preview
橢圓曲線密碼技術
交通大學 資訊工程系
陳榮傑
http://www.cs.nctu.edu.tw/~rjchen/ECC2012S/
p2.
Outline
[1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm [3] Cryptosystems Based on DLP [4] Elliptic Curves [5] Elliptic Curve DLP [6] Signature Scheme: ECDSA [7] How to find secure ECs? [8] Hyperelliptic Curves [9] ID-based Cryptosystems [10] Pairing-based Cryptography
p3.
Let G is a finite cyclic group of size n generated by generator g, i.e.
G = <g> = {g i | i = 1, 2, …, n} or {g i | i = 0, 1, …, n-1}
Given g and i, it is easy to compute gi by repeated squaring
Discrete logarithm problem
Given , find x such that
We denote
[1] Discrete Logarithm Problem
Ga ag x
)ind ( log gaorax g
p4.
Example 1G = Z19
*= { 1, 2, …, 18}
n=18, generator g = 2
then log214 = 7
log26 = 14
i123456789ig2481613714918
10 11 12 13 14 15 16 17 18
17 15 11 3 6 12 5 10 1
p5.
Example 2
G=GF*(23) with irreducible poly.
p(x)=x3+x+1
G=Zn*/p(x)={ 1, x, x2, 1+x, 1+x2, x+x2,
1+x+x2 }
n=7, generator g = x
then logx(x+1) = 3 logx(x2+x+1) = 5 logx(x2+1) = 6
i 1 2 3 4 5 6 7ig x 2x 1x xx2 12 xx 12x 1
p6.
Example 3Let p
=105354628039501697530461658293395873194887181492
5913489342608734258717883575185867300386287737705
5779373829258737624519904504306613508596826974102
5626827114728303489756321430023716636917406661590
7176472549470083113107138189921280884003892629359
NB: p = 158(2800 + 25) + 1 and has 807 bits.
Find x in Z, such that
2x = 3 mod p
p7.
[2] Algorithms for Discrete Logarithm
trivial algorithm Shanks’ algorithm (Baby-step giant-
step) Pollard rho discrete log algorithm Pohlig-Hellman algorithm The index calculus method*
p8.
The index calculus method
The index calculus method (Suitable only for G=Zp*)
base.factor in the elements theof logarithms
discrete theof knowledge theusing a,element
desired a of logarithm discrete thecompute To
step) (2nd
}.p ..., ,p ,{p
base.factor
in the primes B theof logarithms discrete thefind To
step)(1st
B21
p9.
Example
log59451 mod 10007=?
Choose B={2, 3, 5, 7}. Of course log55=1.
Use lucky exponents 4063, 5136, and 9865 54063 mod 10007 = 42 = 2 * 3 * 7 55136 mod 10007 = 54 = 2 * 33
59865 mod 10007 = 189 = 33 * 7 And we have three congruences: log52 + log53 + log57 = 4063 mod 10006
log52 + 3 log53 = 5136 mod 10006
3 log53 + log57 = 9865 mod 10006
p10.
There happens to be a unique solution modulo 10006
log52=6578, log53=6190, and log57=1301
Choose random exponent s = 7736 and try to calculate
ags = 9451*57736 mod 10007 = 8400
Since 8400 = 24*3*52*7 factors over B, we obtain
log59451 = (4 log52 + log53 + 2 log55 + log57 – s) mod 10006
= (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006
= 6057 mod 10006
p11.
Complexity of Index Calculus
For factoring and the discrete logarithm problem in finite fields Fq* there are index calculus algorithm
(implemented with Number Field Sieve technique)
These have subexponential complexity O(exp(c(lnN)1/3(lnlnN)2/3))
p12.
[3] Cryptosystems based on DL
Key Distribution Diffie-Hellman, 1976
Encryption Massey-Omura cryptosystem, 1983
Digital Signature ElGamal, 1985
p13.
Diffie-Hellman Key Exchange Algo Global Public Elements
q : prime number α: α< q and α is a primitive root of
q User A Key Generation
Select private XA : XA< q Calculate public YA : YA= αXA mod q
User B Key Generation Select private XB : XB< q Calculate public YB : YB= αXB mod q
Generation of Secret Key by User A K = (YB)XA mod q
Generation of Secret Key by User B K = (YA)XB mod q
p14.
User A User B
Generate random XA < q ;Calculate YA = αXA mod q
Calculate K = (YB)XA mod q
Generate random XB < q ;Calculate YB = αXB mod qCalculate K = (YA)XB mod q
YA
YB
Diffie-Hellman Key Exchange
p15.
Massey-Omura for message transmission
Parameters q : prime number e : a random private integer
• 0 < e < q and gcd ( e, q-1) = 1 d : an inverse of e
• d = e-1 mod q-1 , i.e., de≡1 mod q-1 M : a message to be encrypted and
decrypted User A wants to send a message M to User B
User A : eA and dA are both private User B : eB and dB are both private
p16.
User A User B
1.Encryption(1) C1 = M eA mod q
3.Encryption(3) C3 = C2
dA
= (M eAeB)dA
= M eB mod q
2.Encryption(2) C2 = C1
eB
= M eAeB mod q
4. Decryption M = C3
dB
= M eBdB mod q
Massey-Omura for message transmission
C1
C2
C3
p17.
ElGamal signature scheme
1985 ElGamal Parameters
p : a large prime α: a primitive number in GF(p) x : a private key, x [1, p-1] y : a public key , y = αx (mod p) m : a message to be signed , m [1, p-1] k : a random integer that is privately selected, k [0, p-
2] Signature
r = αk mod p m = ks + rx mod φ(p) ,where GCD( k, φ(p) ) = 1 ( m , (r,s) ) is sent to the verifier
Verification αm = rs yr mod p The signature (r,s) is accepted when the equality holds
true.
p18.
ElGamal encryption scheme
Parameters p : a large prime α: a primitive number in GF(p) a : a private key, a [1, p-1] β : a public key , β = αa (mod p) m : a message to be signed , m [1, p-1] k : a random integer that is privately
selected, k [0, p-2] K = (p, α, a, β) : public key + private key
Encryption eK(m, k)=(y1, y2)
where y1 = αk mod p and y2=mβk mod p Decryption
m = dK(y1, y2) = y2(y1a)-1 mod p
p19.
(xP+Q, yP+Q)
(xP+Q, yP+Q)
[4] Elliptic Curves
Over Fields of Characteristic p>3 Curve form
E: Y2 = X3 + aX + b where a, b Fq, q = pn
4a3+27b2≠0 Group operation
given P1(x1,y1) and P2(x2,y2)
compute P3(x3,y3) = P1+P2
PQ
P+Q
p20.
Example: 0123 b,a,p
}O{}xxy:Z)y,x{()Z(E b,a 3222323
P
-P
Q
P+Q
Example of EC over GF(p)
p21.
Addition (P1P2)
Doubling (P1=P2) 13313
212
3
12
1
)( yxxxy
xxx
xx
yy
2
13313
12
3
1
21
)(
2
2
3
yxxxy
xx
y
ax
Computational CostI + 3 M
Computational CostI + 4 M
p22.
Over Fields of Characteristic 2 Curve form
E: Y2 + XY = X3 + aX2 + b where a, b Fq, b≠0, q = 2n
Group operationgiven P1(x1,y1) and P2(x2,y2)
compute P3(x3,y3) = P1+P2
p23.
Example of EC over GF(2m)
1)(, 4 xxxp)(/][)2( 2 xpxZGF m
1 : 2432 xgxxyyE
)0001(1
)0011(0
4
g
g
p24.
Addition (P1P2)
Doubling (P1=P2)
13313
212
3
12
1
)( yxxxy
axxx
xx
yy
2
13313
23
11
1
)( yxxxy
ax
xx
y
Computational CostI + 2 M + S
Computational CostI + 2 M + S
p25.
[5] Elliptic Curve DLP
Basic computation of ECC
Q = kP = where P is a curve point, k is an integer
Strength of ECC Given curve, the point P, and kP
It is hard to recover k- Elliptic Curve Discrete Logarithm Problem (ECDLP)
timesk
P...PP
p26.
Security of ECC versus RSA/ElGamal
Elliptic curve cryptosystems give the most
security per bit of any known public-key scheme.
The ECDLP problem appears to be much more
difficult than the integer factorisation problem
and the discrete logarithm problem of Zp. (no
index calculus algo!)
The strength of elliptic curve cryptosystems
grows much faster with the key size increases
than does the strength of RSA.
p27.
Elliptic Curve Security
Symmetric Key Size
(bits)
RSA and Diffie-Hellman
Key Size (bits)
Elliptic Curve Key Size
(bits)
80 1024 160
112 2048 224
128 3072 256
192 7680 384
256 15360 521
NIST Recommended Key Sizes
p28.
ECC Benefits
ECC is particularly beneficial for application where:
computational power is limited (wireless devices, PC cards)
integrated circuit space is limited (wireless devices, PC cards)
high speed is required. intensive use of signing, verifying or authenticating is
required. signed messages are required to be stored or
transmitted (especially for short messages). bandwidth is limited (wireless communications and
some computer networks).
p29.
[6] Signature Scheme: ECDSA
Digital Signature Algorithm (DSA)
Proposed in 1991 Was adopted as a standard on December 1,
1994
Elliptic Curve DSA (ECDSA)
FIPS 186-2 in 2000
p30.
Digital Signature Algorithm (DSA)
Let p be a L-bit prime such that the DL problem in Zp* is intractable, and let q be
a 160-bit prime that divides p-1. Let α be a qth root of 1 modulo p.
Define K={ (p,q,α,a,β): β=αa mod p }
p,q,α,β are the public key, a is private
L=0 mod 64, 512≤L≤1024
p31.
For a (secret) random number k, definesig (x,k)=(γ,δ), where
γ=(αk mod p) mod q andδ=(SHA-1(x)+aγ)k-1 mod q
For a message (x,(γ,δ)), verification is done by performing the following computations:
e1=SHA-1(x)*δ-1 mod q
e2=γ*δ-1 mod q
ver(x,(γ,δ))=true iff. (αe1βe2 mod p) mod q=γ
p32.
Elliptic Curve DSA
Let p be a prime, and let E be an elliptic curve defined over Fp. Let A be a point on E having prime order q, such that DL problem in <A> is infeasible.
Define K={ (p,q,E,A,m,B): B=mA }
p,q,E,A,B are the public key, m is private
p33.
For a (secret) random number k, define sigk(x,k)=(r,s),
where kA=(u,v), r=u mod q and
s=k-1(SHA-1(x)+mr) mod q
For a message (x,(r,s)), verification is done by performing the following computations:
i=SHA-1(x)*s-1 mod q
j=r*s-1 mod q
(u,v)=iA+jB
ver(x,(r,s))=true if and only if u mod q=r
p34.
[7] How to find secure elliptic curves ?
(1) Randomly choose a, b, p and calculate #Elliptic curve (y2=x3+ax+b) until #E = a prime q, where #E is calculate by using Schoof-
Elkies-Atkin algorithm
(2) (Complex multiplication method) Given a big prime q, find p, a, b such that #Elliptic curve (y2=x3+ax+b) = q
p35.
[8] Hyperelliptic Curves
1. Definition of HC
2. Example of HC
(rational points of HC do not form a
group)
3. Divisor
4. Jacobian (Jacobian is a group)
5. HCDLP
p36.
Definitions of hyperelliptic curves
A hyperelliptic curve C of genus g over a
finite field K (g≧1)
C : y2 + h(x)y = f(x)
where
h(x) ∈ K[x] is a polynomial of degree at most g,
f(x) ∈ K[x] is a monic polynomial of degree 2g+1.
Elliptic curves are hyperelliptic curves of
genus 1.
p37.
Group law in an elliptic curve
y2=x3-x over R
?-RP+Q=
PQ
R
PQ
R
-R
p38.
Example: Hyperelliptic curve
A genus 2 hyperelliptic curve over R:C: y2 = x5 -5x3+ 4x = x(x+1)(x-1)(x+2)(x-2)
The rational points on C do not form a group.
p39.
Divisors
Definition : (divisor, degree) A divisor D is a formal sum of points in C:
The degree of D,
The set of all divisors, denoted D, forms an additive group under the addition rule:
D0(K) is the subgroup of all divisors defined over K and of degree 0.
, p pP C
D m P m
deg pP C
D m
( )p p p PP C P C P C
m P n P m n P
D1=2P1+P2-3∞D2= P1+P3
deg(D1) =2+1-3=0deg(D2) =1+1=2
D1+D2
=3P1+P2+P3-3∞
p40.
Principal divisor
Definition : (principal divisors) Let R ∈K(C) be a rational function.
The divisor of R is called a principal divisor :
In fact, degree of a principal divisor is 0.
The set of all principal divisors, denoted P(K), is a subgroup of D0(K).
( ) ( )PP C
div R ord R P
C: y2 = x5 -5x3+ 4x
•
• x-1
3x +x+(x+1)y
x y
Q1=(1, 0) on Cdiv(x-1) = 2Q1-2∞
p41.
Jacobian
Definition: (Jacobian)
The quotient group JC(K) = D0/P is called the
Jacobian of the curve C.
If D1, D2 ∈ D0 and D1-D2 ∈ P, then D1 and D2
are said to be equivalent divisors; we write
D1~D2.
p42.
Group law in HC
A genus 2 hyperelliptic curve over R:C: y2 = x5 -5x3+ 4x
y=a3x3+a2x2+a1x+a0
P1
P2
P4
5 6( 2 )P P 1 2 3 4( 2 ) ( 2 )P P P P ?
P3
P5’
P6’
P6
P5
x-x5=0
x-x6=0
p43.
HCDLP
HCDLP:
(hyperelliptic curve discrete logarithm
problem)
Let a divisor D1 in JC(Fq) with known order
N,
and D2 in <D1>
To find an integer λ s.t. D2 = λD1 is hard.
p44.
[9] ID-based Cryptosystem
Private Key Generator(PKG)
BobAlice
Authentication(IDBob)KRIDBob
(params, IDBob) KRIDBob
IDBob is arbitrary and meaningfulex: [email protected]
or 0912345678
Setup generate params and master key
Extract generate KRIDBob by IDBob and master key
Encrypt
Verify
or
Decrypt
Sign
or
p45.
Certificate-based Cryptosystem
Certificate Authority(CA)
BobAlice
Authentication(KUBob)
Certificate(Bob, KUBob)
Certificate(Bob, KUBob)
Encrypt
KUBob
Decrypt
KRBob
KUBob is random
Verify Sign
or or
p46.
ID-based Encryption Scheme
Proposed by Boneh and Franklin (Crypto 2001) First complete and efficient scheme
Bilinear PairingG1: additive group generated by P, ord(P)=q
G2: multiplicative group with same order q
Assume that DLP in G1 and G2 are hard
Let e: G1xG1 G2 satisfies:
1. Bilinear: e(P1+P2,Q)=e(P1,Q)e(P2,Q)
e(P,Q1+Q2)=e(P,Q1)e(P,Q2)
2. Non-degenerate: P,Q G1, s.t e(P,Q)1
3. Computability Bilinear Diffie-Hellman (BDH) Assumption
Given P, aP, bP, cP G1 , compute e(P, P)abc is HARD!
p47.
ID-based Encryption Scheme
ID-based Encryption Setup:
(1) Choose P E/Fp of order q
(2) Pick a random s Zq* and set
Ppub= sP
(3) Two hash functions: H1: {0,1}* G*1 (MapToPoint)
H2: G2 {0,1}n for some n Extract:
Given a ID {0,1}*, build private key SID as follows:
QID = H1(ID)
Set dID=sQID , where s is the master key
System: k-bit prime p p=2 mod 3, p=6q-1 E: y2=x3+1 over Fp
Params: <p, q, P, Ppub, H1, H2>Master-key: s
p48.
Encrypt:Use MapToPoint to map ID to QID
choose a random r Zq*
C = < rP, M H2(e(QID, Ppub)r) > Decrypt:
Let C=< U, V > , if U is not a point of order q then rejectM = V H2(e(dID, U))
e(dID, U)= e(sQID, rP)= e(QID, P)sr= e(QID, sP)r= e(QID, Ppub)r
dID=sQI
D
Ppub=sP
ID-based Encryption Scheme
p49.
(Def) Weil pairing where is called the m-
torsion group, Um is the group of the mth roots of unity
Given P, QE [m], DP, DQDiv 0 such that
DP ~ (P) – (O) and DQ ~ (Q) – (O). Also, fP , fQ such that div (fP) = m DP and div (fQ) = m DQ.
Suppose supp (DP) supp (DQ) =
Then
Weil Pairing
mUmEmE ][][:e} PO,P|P{][ EmmE
)D(
)D()Q,P(
PQ
QP
f
fe
p50.
End-to-end security for SMS (short message service)
RSA Mechanism
User A User BPublic Key Directory
(1) Public Key Request
(3) Encrypted Short Message
(2) Public Key Response
End-to-endSecurity
Service Provider
p51.
ID-based Mechanism
SIM Card
Message
B’s phone number (0912345678)
Cipher
Private Key Generator(PKG)
ID-based Encryption
ID-based Decryption
SIM Card
Cipher
MessageID-based Encryption
ID-based Decryption
KR
SIM CardKR
ID=0912345678
(1)
(2)
(3)
(4)
(5)
(6)
(7)
User A User B (0912345678)
(8)
GSM Network
End-to-end security for SMS
p52.
[10] Pairing-based Cryptography
1. Implementation of Pairings
Bilinear paring
e: G1 x G2 GT
G1, G2 : prime-order subgroups of an elliptic curve E
over GF(qk)
GT : prime-order subgroup of GF(qk)*
k is the embedding degree of E (w.r.t. r=#E(GF(q)))
k is the smallest positive integer s.t. r | qk - 1
p53.
Various pairings:
Weil pairing
Tate pairing
Eta pairing
Ate pairing
Generalized Ate pairing
p54.
2. Use of parings in cryptography
Attack on ECDLP (MOV attack)
One-round 3-way key exchange (Joux)
IDE (Boneh-Franklin)
Short digital signature (Boneh-Lynn-
Shacham)
Other applications: Group signatures,
Bach signatures, aggregate signatures,
threshold cryptography, authenticated
encryption, broadcast encryption, etc.
p55.
3. Constructing pairing-friendly curves
Want k large enough so that DLP in GF(qk)* is
computational infeasible, but small enough so that
pairing is easy to compute.
Cock-Pinch strategy
MNT strategy
Dupon-Enge-Morain strategy
* Brezing-Weng strategy
Scott-Barreto strategy
