Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
지능형사물인터넷시스템- Elliptic Curve Cryptography-
Howon Kim
2019. 3
Introduction to Elliptic Curves
2
Graphical Representation
X axis
Y axis
Curves of this nature
are called elliptic curves
3
Elliptic Curve (EC) systems as applied to cryptography were first proposed in 1985 independently by Neal Koblitz and Victor Miller.
The discrete logarithm problem on elliptic curve groups is believed to be more difficult than the corresponding problem in(the multiplicative group of nonzero elements of) the underlying finite field.
Elliptic Curves in Cryptography
4
Discrete Logarithms in Finite Fields
Alice Bob
Pick secret, random X from F
Pick secret, random Y from F
gy mod p
gx mod p
Compute k=(gy)x=gxy mod p Compute k=(gx)y=gxy mod p
Eve has to compute gxy from gx and gy without knowing x and y…
She faces the Discrete Logarithm Problem in finite fields
F={1,2,3,…,p-1}
5
Ref) Discrete Logarithm Problem
6
Discrete Logarithm Problem
Let be any group, written multiplicatively for the moment, and let
Suppose we know that for some integer
In this context, the DLP is again to find .
could be the multiplicative g
, .
o p r u
k
G a b G
a b k
k
G
* of a finite field.
Also, could be for some elliptic curve, in which case and are points on
and we are trying to find an integer with
( )
.
q
q
F
G E F a b E
k ka b
Consider y2 = x3 + 2x + 3(mod 5)
x = 0 y2 = 3 no solution (mod 5)
x = 1 y2 = 6 = 1 y = 1,4 (mod 5)
x = 2 y2 = 15 = 0 y = 0 (mod 5)
x = 3 y2 = 36 = 1 y = 1,4 (mod 5)
x = 4 y2 = 75 = 0 y = 0 (mod 5)
Then points on the elliptic curve are
(1,1)(1,4)(2,0)(3,1)(3,4)(4,0)
and the point at infinity:
Using the finite fields we can form an Elliptic Curve Group
where we also have a DLP problem which is harder to solve…
Elliptic Curve on a finite set of Integers
7
1 2 3
2
3
4 1
1 4
0 0 0
0
0
1 2 3
2
3
4
4
0
4
0 4
3
2
3 2 1
0
0
1
0
0
0
An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with a rational point (which may be a point at infinity).
The field K is usually taken to be the complex numbers, reals, rationals, algebraic extensions of rationals, p-adic numbers, or a finite field.
Elliptic curves groups for cryptography are examined with the underlying fields of Fp (where p>3 is a prime) and F2
m (a binary representation with 2m elements).
8
Definition of Elliptic curves
An elliptic curve is a plane curve defined by an equation
of the form2 3y x Ax B
Examples
9
General form of a EC
The Elliptic curve E is the graph of an equation of the form
Generalized Weierstrass Equation of elliptic curves:
2 2 2
1 3 2 4 6y a xy a y x a x a x a
10
Weierstrass Equation
If is a field with , then we say that is defined ov r ., eK A B K E K
11
Singular Point
A singular point of an algebraic curve is a point where the curve has "nasty" behavior such
as a cusp or a point of self-intersection (when the underlying field is taken as the
reals). More formall
K
y,
if the and partial
a point ( , ) on a cu
derivatives of a
rve ( , ) 0 is singular
( ,re both zero at the point ) .
a b f x y
x y f a b
Elliptic Curve over field L
It is useful to add the point at infinity
The point is sitting at the top of the y-axis and any line is said to pass through the point when it is vertical
It is both the top and at the bottom of the y-axis
2 3( ) { } {( , ) | ... ...}E L x y L L y x
12
Points on the Elliptic Curve (EC)
P + Q = Q + P (commutativity)
(P + Q) + R = P + (Q + R) (associativity)
P + O = O + P = P (existence of an identity element)
there exists ( − P) such that − P + P = P + ( − P) = O (existence of
inverses)
13
The Abelian Group
G , ( )
( )
, , ( ).
iven two points in ,
there is a third point, denoted by on? ,
and the following relations hold for all in
p
p
p
P Q E F
P Q E F
P Q R E F
14
Abelian Group ?
15
The Group Law
We could start with two points, or even one point, on an elliptic curve,
and produce another point.
< Adding Points on an EC >
1 2
1 2In the case
P P
x x
16
The Group Law
< Adding Points on an EC >
2 3y x Ax B
17
The Group Law
< Adding Points on an EC >
2 3y x Ax B
18
The Group Law1 2
1 2 1 2In the case but
P P
x x y y
19
The Group Law
1 2 1 1( , )P P x y
2 3y x Ax B
20
The Group Law
2P
21
The Group Law – Summary
2 1P P
22
The Abelian Group – Theorem
2 2 2
1 3 2 4 6(2.1) y a xy a y x a x a x a
x
y
1 1 2 2
3 3
( , ), ( , )
( ) ( , )
P x y Q x y
R P Q x y
y=m(x-x1)+y1
2 1
2 1
2 3
1 1
3 2 2
2
3 1 2
3 1 2 1
;
To find the intersection with E. we get
( ( ) )
,0 ...
,
( )
y ym
x x
m x x y x Ax B
or x m x
So x m x x
y m x x y
Let, P≠Q,
y2=x3+Ax+B
23
Addition in Affine Co-ordinates
Let, P=Q
What happens when P2=∞?
2
2
1
1
1 1 2
3 2 2
2
3 1 3 1 3 1
2 3
3
2
, 0 (since then P +P = ):
0 ...
2 , ( )
dyy x A
dx
dy x Am
dx y
If y
x m x
x m x y m x x y
24
Doubling of a point
21
1
2
1
21
12
12
_2
3
_
xxfory
ax
xxforxx
yy
Define for two points P (x1,y1) and
Q (x2,y2) in the Elliptic curve
Then P+Q is given by R(x3,y3) :
1133
213
)( yxxy
xxx
25
Sum of two points
P+P = 2P
Point at infinity O
As a result of the above case P=O+P
O is called the additive identity of
the elliptic curve group.
Hence all elliptic curves have an
additive identity O.
26
Introduction to Elliptic Curves
Elliptic Curve Cryptosystems
Implementation of ECC in Binary Fields
27
Agenda
28
Scalar multiplication
Elliptic Curves over Finite Fields
29
30
EC over Finite Fields
31
EC over Finite Fields
Since the sum of three roots is - (-4) 4,
the third root is 4. (3 2 4) mod 5.x x
Applications of ECC
32
Secrecy: Only B can Decrypt
the message
Authentication: Only A can
generate the encrypted message33
Public Key Cryptography
34
Public Key Cryptography
35
Public Key Cryptography
Elliptic curve cryptography [ECC] is a public-key
cryptosystem just like RSA, Rabin, and El Gamal.
Every user has a public and a private key.
Public key is used for encryption/signature verification.
Private key is used for decryption/signature generation.
Elliptic curves are used as an extension to other
current cryptosystems.
Elliptic Curve Diffie-Hellman Key Exchange
Elliptic Curve Digital Signature Algorithm
36
What is ECC?
The central part of any cryptosystem involving elliptic
curves is the elliptic group.
All public-key cryptosystems have some underlying
mathematical operation.
RSA has exponentiation (raising the message or ciphertext
to the public or private values)
ECC has point multiplication (repeated addition of two
points).
37
Using Elliptic Curves In Cryptography
38
Diffie-Hellman Key Exchange
39
Diffie-Hellman Key Exchange
40
Diffie-Hellman Key Exchange
Public: Elliptic curve and point B=(x,y) on curve
Secret: Alice’s a and Bob’s b
Alice, A Bob, B
a(x,y)
b(x,y)
Alice computes a(b(x,y))
Bob computes b(a(x,y))
These are the same since ab = ba
41
ECC Diffie-Hellman
Alice and Bob want to agree on a shared key.
Alice and Bob compute their public and private keys.
Alice
Private Key = a
Public Key = PA = a * B
Bob
Private Key = b
Public Key = PB = b * B
Alice and Bob send each other their public keys.
Both take the product of their private key and the other user’s public key.
Alice KAB = a(bB)
Bob KAB = b(aB)
Shared Secret Key = KAB = abB
42
Example – Elliptic Curve Diffie-Hellman Exchange
43
Digital Signature Algorithm
44
ECDSA
45
ECDSA
1 1 1 1Since , ( ) ( ( )( ) )s k m ax s k m axm ax G m xa G kG
How do we analyze Cryptosystems?
How difficult is the underlying problem that it is
based upon
RSA – Integer Factorization
DH – Discrete Logarithms
ECC - Elliptic Curve Discrete Logarithm problem
How do we measure difficulty?
We examine the algorithms used to solve these problems
46
Why use ECC?
To protect a 128 bit
AES key it would take a:
RSA Key Size: 3072 bits
ECC Key Size: 256 bits
How do we strengthen
RSA?
Increase the key length
Impractical?
47
Security of ECC
Many devices are small and have limited storage and computational power
Where can we apply ECC?Wireless communication devices
Smart cards
Web servers that need to handle many encryption sessions
Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems
48
Applications of ECC
Same benefits of the other cryptosystems:
confidentiality, integrity, authentication and non-
repudiation but…
Shorter key lengths
Encryption, Decryption and Signature Verification
speed up
Storage and bandwidth savings
49
Benefits of ECC
“Hard problem” analogous to discrete log Q=kP, where Q,P belong to a prime curve
given k,P “easy” to compute Q
given Q,P “hard” to find k
known as the elliptic curve logarithm problem
k must be large enough
ECC security relies on elliptic curve logarithm problem compared to factoring, can use much smaller key sizes than with RSA etc
for similar security ECC offers significant
computational advantages
50
Summary of ECC
Introduction to Elliptic Curves
Elliptic Curve Cryptosystems
Implementation of ECC in Binary Fields
51
Agenda
Implementation of ECC in Binary Fields
52
ECC
Pointmultiplication:
kP
Group operation: point add/double
Finite field arithmetic: multiplication,addition, subtraction, inversion, …
Parallelize the architectures
Level 0
Level 1
Level 2
Level 3
53
ECC Operations : Hierarchy
54
Exponentiation (xn)
55
Point (Scalar) multiplication on ECC
56
Montgomery’s ladder for Exponentiation
Ref) Handbook of Elliptic and Hyperelliptic Curve Cryptography, CH9
57
Montgomery’s ladder on ECC
Ref) Handbook of Elliptic and Hyperelliptic Curve Cryptography, CH13
At each step, one performs one addition and one doubling, which makesThis method interesting against side-channel attacks !
Input: k>0, P
Output: Q=kP
1. Set k<-(kl-1,…,k1,k0)2
2. Set P1=P, P2=2P
3. For i from l-2 to 0
If ki=1,
Set P1=P1+P2, P2=2P2
else
Set P2=P2+P1, P1=2P1
4. Return Q=P1
Invariant Property:
P=P2-P1
Question: How to implement the
Operation efficiently?
58
Montgomery’s method to perform scalar multiplication
Compute 7P
7=(111)2
Initialization:
P1=P; P2=2P
Steps:
P1=3P, P2=4P
P1=7P, P2=8P
Compute 6P
7=(110)2
Initialization:
P1=P; P2=2P
Steps:
P1=3P, P2=4P
P2=7P, P1=6P
59
Example
60
Non-adjacent form (NAF) method
Ref) Guide to Elliptic Curve Cryptography, page 98
q- on an elliptic curve is just as efficient as addition over P
61
Non-adjacent form (NAF) methodNon-adjacent form
2
2
Like the name suggests, non-zero values c
The non-adjacent form (NAF) of a number is a unique signed-digit representation.
. For example:
(0 ) 4 2
ann
1 7
(1 0 ) 8 - 2
ot be
1 1 1
-1
adjacent
1
2
2
1 7
( ) 8 - 4 2 1 7
8 - 1 7
All are valid signed-digit representations of 7,
(1 0 0 -1)
but only the final representation (1
1 -1 1 1
0 0 -1) is
in NAF.
Ref) Guide to Elliptic Curve Cryptography, page 98
62
Non-adjacent form (NAF) method
Ref) Guide to Elliptic Curve Cryptography, page 99
63
Window method
Ref) Guide to Elliptic Curve Cryptography, page 99
64
-End-
Thank you~
Slides Elliptic Curve Cryptography by Debdeep Mukhopadhyay, Dept of
Computer Sc and Engg IIT Madras
Books Elliptic Curves: Number Theory and Cryptography, by Lawrence C.
Washington
Guide to Elliptic Curve Cryptography, Darrel R. Hankerson, A. Menezes
and A. Vanstone
65
References