Upload
truonghanh
View
227
Download
0
Embed Size (px)
Citation preview
Foundations of Cryptography - ECC pp. 1 / 31
ECCElliptic Curve Cryptography
Foundations of Cryptography - ECC pp. 2 / 31
Elliptic Curve• an elliptic curve E is a smooth, projective, algebraic
curve defined by the following equation:
that has no cusps or self-intersections, and includes also special points at infinity
• point P(x, y) is on curve E if the coordinates x and yof P satisfy the equation of curve E
• the coefficients of curve E and the coordinates ofthe points P(x, y) of E are elements of a field K
• for cryptographic use K is always a finite field• for the initial explanation it is useful to consider
curves defined over the field R of real numbers
Kaaxaxaxyaxyay i ,542
33
212
Foundations of Cryptography - ECC pp. 3 / 31
Group Law• the points P of elliptic curve E constitute an
additive (abelian or commutative) group with respect to a certain point addition rule
• the sum of two points P and Q of curve E is another point of the same curve E
• the point at infinity of curve E, denoted O, is the identity element (neutral element) of the group
• the opposite P of a point P of curve E is the point symmetric of P with respect the x axis (abscissa axis of the plane)– elliptic curves are always symmetric with respect to
the abscissa axis of the plane
Foundations of Cryptography - ECC pp. 4 / 31
Point Addition• the basic operation of the group is point addition• curve E has the property that a straight line
always intercepts E in three points (not necessarily all distinct from one another)
• take two points P and Q on curve E, then to obtain the sum of P and Q do as follows:– draw the straight line passing through P and Q– the line intercepts the curve in a third point S– the sum point of P and Q is the opposite of point S
• this construction of called “rule of the chord”
Foundations of Cryptography - ECC pp. 5 / 31
Point Addition – Representation
xP + Q
SxP x
Qx
curve E is supposed defined on the field R of real numbers(to have a geometric representation)
rule of the chord
Foundations of Cryptography - ECC pp. 6 / 31
Point Doubling
• point doubling is a special case of point addition• point doubling is the sum of point P to itself:
P P 2P• to obtain point 2P do as follows:
– instead of drawing the straight line through P and Q– draw the tangent to curve E in the point P– tangent intercepts curve E in a third point S– the opposite of point S is point 2P
• this construction of called “rule of the tangent”
Foundations of Cryptography - ECC pp. 7 / 31
Point Doubling – Representation
x2P
SxPx
curve E is supposed defined on the field R of real numbers(to have a geometric representation)
rule of the tangent
Foundations of Cryptography - ECC pp. 8 / 31
Iterated Addition – k P• the sum of a point P of E to itself can be
repeated for k 2 times:k P P P … P (for k times)
• for every integer k 2, point k P is a point of E• moreover pose:
1P P 0P O (point at infinity)k P k (P) (P) (P) … (P) (for k times)
and thus allow k to be any integer (, , 0)• k P is named “iterated sum” of P or simply “k P
operation” (sometimes “scalar multiplication”)
Foundations of Cryptography - ECC pp. 9 / 31
Curve on a Finite Field• elliptic curves can be restricted over finite fields:
– the coefficients of the equation of the curve belong to a finitefield K (of modular or polynomial type)
• the points P(x, y) of a curve E over a finite field K have coordinates x and y belonging to field K as well
• thus an elliptic curve over a finite field necessarily has finitely many points
• and the additive group of the points of an elliptic curve over a finite field is a finite group itself
• there is not any geometric representation of the group law, but the points of the curve can represented exactly
Foundations of Cryptography - ECC pp. 10 / 31
Cryptographic Use• Koblitz and Miller proposed to define the
discrete logarithm problem (DLP) in the group of the points of an elliptic curve over a finite field
• take a curve E over a finite field K and a point Pof E, then:– given an integer k, it is relatively easy to find point
Q k P (point Q is the iterated sum of P)– but given point Q such that there exists an integer k
with Q k P, it is very difficult to find such integer k• the second (difficult) problem is called Elliptic
Curve Discrete Logarithm Problem (ECDLP)
Foundations of Cryptography - ECC pp. 11 / 31
Order – Group and Point
• the group of the points of an elliptic curve E over a finite field K is denoted E(K)
• the order (i.e. the size) of group E(K) is the number of points of curve E and is denoted #E
• the order of a point P of curve E is the minimum integer n such that n P O (point at infinity)
• if the order of group E(K) is prime, the group is necessarily cyclic and all the points of curve Ehave an order equal to the order of the group
Foundations of Cryptography - ECC pp. 12 / 31
Order – Cyclic (sub)groups• for any curve E over a finite field K, it can be
proved that the order of group E(K) is:– either a prime (see before)– or a composite number
• in the former case E(K) is itself a cyclic group, where ECDLP can be defined directly
• in the latter case the ECDLP must be formulated in a cyclic subgroup of prime order through finding a sufficiently large factor of the curve order #E
Foundations of Cryptography - ECC pp. 13 / 31
Order – How to Find a Curve
• it is necessary to construct elliptic curves with a group E(K) of sufficiently large order
• to construct a curve means to find the coefficients of the equation of the curve
• there are two methods for constructing elliptic curves suited to cryptographic use:– generate a random curve and count the number of
points it has (discard the curve if points are too few)– use an algorithm for generating a curve with
a predetermined order
Foundations of Cryptography - ECC pp. 14 / 31
Security of ECC• the security level of the Elliptic Curve Discrete
Log. Problem (ECDLP) depends on several factors and parameters, for instance:– underlying finite field K– structure of the elliptic curve E– order of entire group E(K)– order of specific curve points to use
• thus the choice of the appropriate curve to use is a crucial problem for cryptography
• a few curves where ECDLP has good security level are known and have been standardized
Foundations of Cryptography - ECC pp. 15 / 31
ECC over GF(p)
• for cryptographic purposes elliptic curves are defined over modular (prime) fields GF(p) or binary extension fields GF(2n) (for some n 1)
• in a few rare cases other fields are used, likefor instance the ternary extension fields GF(3n)
• here attention is restricted to fields GF(p)• a curve over GF(p) (with p 2,3) can always be
put, via a change of coordinates, in the form:
)(,,0274, 2332 pGFbababxaxy
Foundations of Cryptography - ECC pp. 16 / 31
ECC over GF(p)• the geometric “rule of chord and tangent” shown
for curves over the real field can not be used directly in the finite fields GF(p)
• in GF(p) it is necessary to express the sum and doubling of points in terms of algebraic formulas on the coordinates of the points
• in GF(p) the opposite –P of a point P(x, y) is obtained by changing the sign of coordinate yof P (of course the change is mod p)
coord. of –P (x, –y mod p) (x, p – y)
Foundations of Cryptography - ECC pp. 17 / 31
ECC Point Addition
• the sum of two points P(x1, y1) and Q(x2, y2) is obtained from the algebraic equation of the straight line through P and Q, which is:
(x2 – x1) / (y2 – y1) (angular coefficient) y1 – x1 (intercept on axis y)y x (line equation)
• create the algebraic system of line and curve• and with some passages the coordinates of the
sum point are obtained (see next)
Foundations of Cryptography - ECC pp. 18 / 31
ECC Point Addition
y2 x3 ax+b• the system of straight line and curve equations
is of degree three• such a system has three different solutions• call solutions on the x axis: x1, x2 and x3
• equation system has the following resolvent( x ) 2 x 3 ax+b(x – x1) (x – x2) (x – x3) 0
Foundations of Cryptography - ECC pp. 19 / 31
ECC Point Addition
• resolvent can be rewritten as follows:x3 2 x2 (2 +a) x (2+b) 0x3 (x1 x2 x3) x2 (x1 x2 x1 x3 x2 x3) x x1 x2 x3 0
• set 2 equal to the coefficient of x2 in the 2nd eq.:2 (x1 x2 x3) x3 2 x1 x2
• now x3 is known and it is possible to substitute it in the equation of the line, remembering that the obtained y is the opposite of the requested y3
Foundations of Cryptography - ECC pp. 20 / 31
ECC Point Doubling
• point doubling is the same as point addition• but instead of a line passing through two points,
the tangent to the curve through P(x1, y1) is used• the equation of the tangent line is
(3x12 1) / (2y1)
y1 x1
• then apply the same passages as point addition (here are omitted) and obtain the x coordinate of point 2P (and then also the y coordinate)
Foundations of Cryptography - ECC pp. 21 / 31
Point Addition and Doubling
Foundations of Cryptography - ECC pp. 22 / 31
EC Diffie-Hellmann
• it is possible to define a Diffie-Hellman key exchange protocol for the group of the points of an elliptic curve
• first users agree on the following items:– a finite field Fq
– an elliptic curve E defined over field Fq (and thus they agreeon a group of points E(Fq))
– and a base point P of known order n
• then every user selects a secret key, i.e. selects a random integer 0 < ks < n
• finally every user computes his public key as Kp ks P
Foundations of Cryptography - ECC pp. 23 / 31
EC Diffie-Hellmann
• users A and B have secret keys ksA, ksBand public keys KpA, KpB, respectively:– user A obtains the public key of B and
computes K ksA KpB
– user B obtains the public key of A and computes K ksB KpA
• now A and B share the common secret KK ksA KpB ksA ksB P ksB ksA P ksB KpA K
Foundations of Cryptography - ECC pp. 24 / 31
EC ElGamal• as in the case of Diffie-Hellmann key
exchange algorithm, also the ElGamalencryption algorithm can be extended to elliptic curves
• public parameters are defined as in the case of ECDH: E(Fq)
• user A sends an encrypted message to B• user B is equipped with a
– secret key: 0 < ksB < n– public key: KpB (n, P, ksB P)
Foundations of Cryptography - ECC pp. 25 / 31
EC – ElGamal Encryption• user A does the following actions:
– maps plaintext M to the finite field Fq(say M’ is the mapped plaintext)
– selects a random integer: 0 r n– and computes:
• point U r P (xU , yU)• point Q r KpB (xQ , yQ)
– The ciphertext is composed either as • (U, C M’ + Q) Or • (U, C M’ bitwise-xor xQ)
Foundations of Cryptography - ECC pp. 26 / 31
EC – ElGamal Decryption
• to decrypt, user B computes:– Q ksB U– Either
• M’ C - QOr• M’ C bitwise-xor xQ
– remaps field element M’ to cleartext M• both parties compute the same point Q:
Q r KpB r ksB P ksB r P ksB U Q
Foundations of Cryptography - ECC pp. 27 / 31
EC Digital Signature Algorithm
• the Digital Signature Algorithm (DSA) that works in the multiplicative group of a finite field can be redefined on elliptic curves too
• ECDSA – Elliptic Curve Digital Signature Algorithm
• simply replace the multiplicative group of a finite field Fq* with the group of the points of an elliptic curve E(Fq)
• details are at pag. 14 of the notes on ECs.
Foundations of Cryptography - ECC pp. 28 / 31
Scalar Multiplication• the basic operation in ECC is the “k P operation”
(sometimes also called “scalar multiplication”)• k P consists of the addition of P to itself k times• the standard algorithm for performing k P is
called “Double & Add” (D&A)• algorithm D&A is a rearrangement of algorithm
Square & Multiply (S&M) for exponentiation in modular (prime) fields
• rearrangement consists of replacing:– Square with Point Doubling– and Multiply with Point Addition
Foundations of Cryptography - ECC pp. 29 / 31
ECC – Security Level
• suppose to have:– a finite field K with elements of size of n bits– an ellitpic curve E over the same field K
• in general the Discrete Logarithm Problem (DLP) in the group E(K) of the points of E over K, is much more difficult than the DLP in the multiplicative group K* of K
• this may be false if curve E is badly chosen, for instancewhen the number of points of E is too small
• however there are methods for avoiding suchunfortunate situations (as mentioned before)
Foundations of Cryptography - ECC pp. 30 / 31
Security Level• for comparing the security levels of two
cryptographic algorithms A1 and A2, it iscustomary to specify for which field or key size(depending on the case) the costs of the mostefficient known attacks to A1 and A2 are equal
• see the next table for a comprehensivecomparison of some symmetric and asymmetricalgorithms (published by NIST)
• such comparison figure may change astechnology evolves and new more efficientattacks are discovered
Foundations of Cryptography - ECC pp. 31 / 31
Comparing Key Size and Algorithmfigures obtained from NIST