Embed Size (px)
Citation preview
Elliptic Curve Elliptic Curve CryptographyCryptography
Lawrence FallowLawrence Fallow
19 April 200719 April 2007
What’s wrong with RSA?What’s wrong with RSA?
• RSA is based upon the ‘belief’ that RSA is based upon the ‘belief’ that factoring is ‘difficult’ – never been factoring is ‘difficult’ – never been provenproven
• Prime numbers are getting too largePrime numbers are getting too large
• Amount of research currently devoted Amount of research currently devoted to factoring algorithmsto factoring algorithms
• Quantum computing will make RSA Quantum computing will make RSA obsolete overnightobsolete overnight
What exactly is an elliptic What exactly is an elliptic curve?curve?
• Let a Let a ∈∈ℝℝ,,b b ∈∈ℝℝ, be constants such , be constants such that that
4a³ + 27b² 4a³ + 27b² ≠≠ 0. A 0. A non-singular elliptic non-singular elliptic curve curve is the set is the set EE of solutions (x,y) of solutions (x,y) ∈∈ℝ x ℝ to the equation:ℝ x ℝ to the equation:
y² = x³ + ax + by² = x³ + ax + b
together with a special point together with a special point O O called called the the point at infinitypoint at infinity..
Singular Elliptic CurveSingular Elliptic Curve
• If 4a³ + 27b² If 4a³ + 27b² == 0, then we have a 0, then we have a singular singular elliptic curveelliptic curve
• This could potentially lead to having to not This could potentially lead to having to not having 3 distinct rootshaving 3 distinct roots
• Therefore, we must deal with non-singular Therefore, we must deal with non-singular elliptic curves with the condition 4a³ + elliptic curves with the condition 4a³ + 27b² 27b² ≠≠ 0, in order to assure that we have 0, in order to assure that we have 3 distinct roots.3 distinct roots.
• This will allow us to establish the fact that This will allow us to establish the fact that the solution set the solution set E E forms an Abelian group.forms an Abelian group.
What is a Group?What is a Group?
• Suppose we have any binary operation, such as addition Suppose we have any binary operation, such as addition (+), that is defined for every element in a (+), that is defined for every element in a set G, set G, which is which is denoted denoted (G,(G, +) +)
• Then Then GG is a is a groupgroup with respect to addition if the following with respect to addition if the following conditions hold:conditions hold:
1.) 1.) GG is is closedclosed under addition under addition: x : x ∈∈GG, y , y ∈∈GG, , imply x + y imply x + y ∈∈GG 2.) 2.) + is associative+ is associative. For all x, y, z, . For all x, y, z, ∈∈GG, , x + (y + z) = (x + y) + zx + (y + z) = (x + y) + z 3.) 3.) G G has an identity element has an identity element ee. There is an . There is an ee in in GG such such
that x + that x + e = e e = e + x = x for all x + x = x for all x ∈∈GG.. 4.) 4.) G G contains inversescontains inverses. For each x . For each x ∈∈GG, there exists y , there exists y
∈∈GG, such that x + y = y + x = , such that x + y = y + x = ee..
What is an Abelian GroupWhat is an Abelian Group
• An Abelian group contains all the An Abelian group contains all the rules of a group, but also must meet rules of a group, but also must meet the following criteria:the following criteria:
5.) 5.) + is commutative+ is commutative. For all x . For all x ∈∈GG, , y y ∈∈GG, x + y = y + x., x + y = y + x.
3 Cases for Solutions3 Cases for Solutions
• Suppose P, Q Suppose P, Q ∈∈EE, where P = (x, where P = (x11,y,y11) and Q ) and Q = (x= (x22,y,y22)), , we must consider three cases:we must consider three cases:
1.) 1.) xx1 1 ≠ ≠ xx22
2.) 2.) xx1 1 = = xx22 and y and y11 = - y = - y2 2
3.) x3.) x1 1 = = xx22 and y and y11 = y = y22
• These cases must be considered when These cases must be considered when defining “addition” for our solution setdefining “addition” for our solution set
Defining Addition on Defining Addition on EE: Case : Case 11For the case xFor the case x1 1 ≠ ≠ xx22, addition is defined as , addition is defined as
follows: follows:
(x(x11,y,y11) + (x) + (x22,y,y22) = (x) = (x33,y,y33) ) ∈∈EE where where
xx3 3 = = λλ² - ² - xx1 1 - x- x22 yy3 3 = = λλ((xx1 1 – x– x33) - y) - y11, and, and λλ = (y = (y22 – y– y11) / ) / (x(x22 – x– x11))
Defining Addition on Defining Addition on E E : : Case 2Case 2
For the case xFor the case x1 1 = = xx22 and y and y11 = - y = - y2 2 , , addition is defined as follows: addition is defined as follows:
(x(x11,y,y11) + (x) + (x22,y,y22) = (x) = (x33,y,y33) ) ∈∈EE where where
(x,y) + (x,-y) = (x,y) + (x,-y) = OO, the point at infinity, the point at infinity
Defining Addition on Defining Addition on E E : : Case 3Case 3For the case xFor the case x1 1 = = xx22 and y and y11 = y = y22, ,
addition is defined as follows: addition is defined as follows:
(x(x11,y,y11) + (x) + (x22,y,y22) = (x) = (x33,y,y33) ) ∈∈EE where where
xx3 3 = = λλ² - ² - xx1 1 - x- x22 yy3 3 = = λλ((xx1 1 – x– x33) - y) - y11, and, and λλ = (3 = (3xx11
2 2 + a) / 2y+ a) / 2y11
Defining the IdentityDefining the Identity
• The point at infinity The point at infinity OO, is the identity , is the identity element. P + element. P + O O = = OO + P = P, for all P + P = P, for all P ∈∈EE..
• From Case 2, and the Identity Element, we From Case 2, and the Identity Element, we now have the existence of inversesnow have the existence of inverses
• Beyond the scope here to prove that we Beyond the scope here to prove that we have commutativity and associativity as have commutativity and associativity as wellwell
• Therefore the set of solutions Therefore the set of solutions EE, forms an , forms an Abelian group (Importance of this will be Abelian group (Importance of this will be shown later)shown later)
Elliptic Curves modulo pElliptic Curves modulo p
• Let p > 3 be prime. The elliptic curve y² = Let p > 3 be prime. The elliptic curve y² = x³ + ax + b over x³ + ax + b over ℤℤpp is the set of solutions is the set of solutions (x,y) (x,y) ∈∈ℤℤpp x ℤ x ℤpp to the congruence: to the congruence:
y² y² ≡≡ x³ + ax + b (mod p) x³ + ax + b (mod p)
where a where a ∈∈ℤℤpp,,b b ∈∈ℤℤpp, are constants such , are constants such that 4a³ + 27b² that 4a³ + 27b² ≢ ≢ 0 (mod p), together with 0 (mod p), together with a special point a special point O O called the called the point at point at infinityinfinity..
• Solutions still form an Abelian groupSolutions still form an Abelian group
So now for an exampleSo now for an example
• Let’s examine the following elliptic curve Let’s examine the following elliptic curve as an example:as an example:
y² = x³ + x + 6 overy² = x³ + x + 6 over ℤℤ1111
XX 00 11 22 33 44 55 66 77 88 991100
x³ + x + 6 mod x³ + x + 6 mod 1111 66 88 55 33 88 44 88 44 99 77 44
QR?QR? NN NN YY YY NN YY NN YY YY NN YY
YY 4,4,77
5,5,66
2,2,99
2,2,99
3,83,8 2,2,99
Generating our groupGenerating our group
• From the previous chart, and including From the previous chart, and including the point at infinity the point at infinity OO, we have a , we have a group with 13 points.group with 13 points.
• Since the O(Since the O(EE) is prime, the group is ) is prime, the group is cyclic.cyclic.
• We can generate the group by We can generate the group by choosing any point other then the choosing any point other then the point at infinity.point at infinity.
• Let our generator = Let our generator = = (2,7) = (2,7)
The GroupThe Group
We can generate this by using the We can generate this by using the rules of addition we defined earlier rules of addition we defined earlier where where
Encryption RulesEncryption Rules
• Suppose we let Suppose we let = (2,7) and choose the = (2,7) and choose the private key to be 7 private key to be 7
• then then = 7 = 7 = (7,2) = (7,2)
• Encryption:Encryption:
eeKK(x,k) = (k((x,k) = (k(), x + k(), x + k())))
eeKK(x,k) = (k(2,7), x+k(7,2)) ,(x,k) = (k(2,7), x+k(7,2)) ,
where x where x ∈ ∈ E E and 0 and 0 ≤ ≤ k k ≤≤ 12 12
Decryption RuleDecryption Rule
• Decryption:Decryption:
ddKK((yy11,,yy22) = ) = yy2 2 – K– Kprivprivyy11
ddKK((yy11,,yy22) = ) = yy2 2 – 7y– 7y11
• This is based on the ElGamal scheme This is based on the ElGamal scheme of elliptic curve encryptionof elliptic curve encryption
Using this SchemeUsing this Scheme
• Suppose Alice wants to send a message to Suppose Alice wants to send a message to Bob.Bob.
• Plaintext is x = (10,9) which is a point in Plaintext is x = (10,9) which is a point in EE• Choose a random value for k, k = 3Choose a random value for k, k = 3
• So now calculate (ySo now calculate (y11,,yy22):):
• yy11 = 3(2,7) = (8,3)= 3(2,7) = (8,3)
• yy22 = (10,9) + 3(7,2) = (10,9) + (3,5) = (10,2)= (10,9) + 3(7,2) = (10,9) + (3,5) = (10,2)
• Alice transmits y = ((8,3),(10,2))Alice transmits y = ((8,3),(10,2))
Bob DecryptsBob Decrypts
• Bob receives y = ((8,3),(10,2))Bob receives y = ((8,3),(10,2))
• CalculatesCalculates
x = (10,2) – 7(8,3) x = (10,2) – 7(8,3)
= (10,2) – (3,5)= (10,2) – (3,5)
= (10,2) + (3,6)= (10,2) + (3,6)
= (10,9) = (10,9)
Which was the plaintextWhich was the plaintext
Real example from the NSAReal example from the NSA
• Curve P-192Curve P-192
p = p = 6277101735386680763857894232076664160839087003902496127962771017353866807638578942320766641608390870039024961279
r = r = 627710173538668076385789423176059013767194773182842284086277101735386680763857894231760590137671947731828422840811
a = 3099d2bb bfcb2538 542dcd5f b078b6ef 5f3d6fe2 c745de65a = 3099d2bb bfcb2538 542dcd5f b078b6ef 5f3d6fe2 c745de65
b = 64210519 e59c80e7 0fa7e9ab 72243049 feb8deec c146b9b1b = 64210519 e59c80e7 0fa7e9ab 72243049 feb8deec c146b9b1
GGxx = 188da89e b03090f6 7cbf20eb 43a18800 f4ff0afd 82ff1012 = 188da89e b03090f6 7cbf20eb 43a18800 f4ff0afd 82ff1012
GGyy = 07192b95 ffc8da78 631011ed 6b24cdd5 73f977a1 1e794811 = 07192b95 ffc8da78 631011ed 6b24cdd5 73f977a1 1e794811
Sources UsedSources Used
• ““Recommended Elliptic Curves For Recommended Elliptic Curves For Federal Government Use” July 1999Federal Government Use” July 1999
• Cryptography Theory and PracticeCryptography Theory and Practice. . Douglas Stinson, 3Douglas Stinson, 3rdrd ed ed
• A Friendly Introduction to Number A Friendly Introduction to Number TheoryTheory. Joseph Silverman, 3. Joseph Silverman, 3rdrd ed ed
• Elements of Modern AlgebraElements of Modern Algebra. Gilbert . Gilbert and Gilbert, 6and Gilbert, 6thth edition edition
