1 / 25

Introduction to Elliptic Curve Cryptography

Introduction to Elliptic Curve Cryptography. CSIS 5857: Encoding and Encryption . RSA vs. Elliptic Curve. RSA requires very large key size Recommended minimum: 1024 bits (as opposed to 128-256 for AES) Speed of RSA proportional to key size Fast modular exponentiation

mahdis
Download Presentation

Introduction to Elliptic Curve Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Introduction to Elliptic Curve Cryptography CSIS 5857: Encoding and Encryption

  2. RSA vs. Elliptic Curve • RSA requires very large key size • Recommended minimum: 1024 bits(as opposed to 128-256 for AES) • Speed of RSA proportional to key size • Fast modular exponentiation • Possible alternative: Elliptic Curve Cryptography • Not directly related to ellipses (special case) • 160 bit ECC key equivalent to 1024 bit RSA key • Based on faster operations

  3. Elliptic Curve Mathematics • General mathematical form (Weierstraus equation): y2 = x3 + ax + bFor some a, b (curve parameters)

  4. Elliptic Curve Encryption • Encryption: Transforming points on curve (P, KPU) into other point on same curve (C) • Main idea (Abelian group): Need a definition of “+” so that “sum” of two points on a curve is also on the same curveR = P + Q where P = (xP, yP) Q = (xQ, yQ) R = (xR, yR)

  5. Elliptic Curve Addition Cases • Case 1: R based on line formed by P, Q (xP≠ xQ, yP≠ yQ) Equations: •  = (yQ– yP) / (xQ– xP) • xR = 2– xP– xQ • yR = (xP– xR) – yP

  6. Elliptic Curve Addition Cases • Case 2: P = Q, R based on tangent to curve (xP= xQ, yP= yQ) Equations: • xR = ((3xP2 + a) / 2yP)2 - 2xP • yR = ((3xP2 + a) / 2yP)2(xP– xR) – yP

  7. Elliptic Curve Addition Cases • Case 3: P = -Q, line does not intercept curve (xP= xQ, yP≠ yQ) • R = “0” (additive identity) • Point at infinity • 0 = -0

  8. Elliptic Curves over Zp • Encryption requires modular arithmetic • Must be difficult to recover original points from R. • Modular arithmetic prevents “working backward”, as in RSA • Define “curve” as Ep(a, b) where p is the modulus,a, b are the coefficients of y2 = x3 + ax + b • Looking for (x, y) such that y2 = (x3 + ax + b) mod p • Note: “points” on curve are integers

  9. Finding Points on a Zp Curve • Example:Points on elliptic curve y2 = x3 + x + 1 over GF(13): • Must find integer values for x, y < 13 such that(y2) mod 13 =(x3+x+1)mod 13 • x = 0: y2 mod 13 = 1 mod 13 y = 1 y = 1, 12 (-1 mod 13 = 12) • x = 1: y2 mod 13 = 3 mod 13 y = 4 (16 mod 13 = 3) y = 4, 9

  10. Finding Points on a Zp Curve Note: Not all values of xhave a corresponding y • x = 2: y2 mod 13 = 11 mod 13 No solution for y (Can test all y < 13) • x= 3: y2 mod 13 = 31 mod 13 = 5No solution for y (Can test all y < 13) • x = 4: y2 mod 13 = 69 mod 13 = 4 y = 2 y = 2, 11

  11. Finding Points on a Zp Curve • Points on elliptic curve y2 = x3 + x + 1 over GF(13):

  12. Elliptic Curve Mathematics • Computing (xR, yR) = (xP, yP) + (xQ, yQ) • Necessary to turn 2 points corresponding to key, plaintext into point corresponding to ciphertext • Main ideas: • Addition/subtraction/multiplication in mod p • Division = multiplication by inverse mod p

  13. Example: (4, 2) + (10, 6) on E13(1, 1) • step 1: compute  = (yQ– yP) / (xQ– xP)  = (6– 2) x (10– 4)-1 mod 13 = 4 x 6-1 mod 13 6-1 mod 13 = 11 = 4 x 11 mod 13 = 5 • step 2: compute xR =  2 – xP– xQ xR = 25 – 4 – 10 mod 13 = 11 • step 3: compute yR = (xP– xR) – yP yR = 5 x (4 – 11) – 2 mod 13 = 2 (4, 2) + (10, 6) = (11, 2) note: also on curve!

  14. Multiplication on an Elliptic Curve • Multiplication = addition multiple times • Necessary for some forms of elliptic curve cryptography • Must use formula where P = Q for first addition • Example: 3 x (1, 4) on E13(1, 1) 3 x (1, 4) = ((1, 4) + (1, 4)) + (1, 4) = (8, 1) + (1, 4) = (1, 9)

  15. Elliptic Curve Encryption • Generally based on using elliptic curves in place of exponentiation in existing public key algorithm • Examples: • Elliptic Diffie-Hellman • Elliptic ElGamal

  16. Elliptic Curve Diffie-Hellman • Alice and Bob agree on global parameters: • Ep(a, b): Elliptic curve mod P (prime) with parameters a and b • G : “Generator” point on that elliptic curve • Example: P = 211Ep(0, -4) the curvey2 = x3 - 4G = (2, 2)

  17. Elliptic Curve Diffie-Hellman • Alice and Bob select privatenAand nB • They each generate a publicPAand PB asPA= nAx G and PB= nBx G • They exchange these values • Example: nA= 121 PA= 121 x (2, 2) = (115, 48) nB= 203 PB= 203 x (2, 2) = (130, 203) (115, 48) (130, 203)

  18. Elliptic Curve Diffie-Hellman • Alice and Bob generate the same key k k = PBx nA = PAx nB • Proof: PBx nA = G x nB x nAPAx nB = G x nA x nB • Example: 121 x (130, 203) = 203 x (115, 48) = (161, 69)

  19. Elliptic Curve ElGamal Generating public and private keys: • Bob chooses an Ep(a, b) for an elliptic curve in Zp • Bob chooses a point (x1, y1) on that curve • Bob chooses a secret integer multiplier d < p • Bob computes a second point (x2, y2) on the curve as (x2, y2) = d (x1, y1) • public key: the values p, a, and b that define the curve the two points (x1, y1) and (x2, y2) • private key: the multiplier d

  20. Elliptic Curve ElGamal Encryption: • Alice selects a point P onEp(a, b) that corresponds to the plaintext message she wishes to send • Alice selects a random multiplier r • Alice creates the ciphertext as two points on the curve:C1 = r (x1, y1) C2 = P +r (x2, y2)

  21. Elliptic Curve Encryption Decryption: • Bob computes the plaintext as: P = C2– (dC1)) • Why does this work? P = C2– (dC1)) = (P +r(x2, y2)) – (dr(x1, y1))) = (P +dr(x1, y1)) – (dr(x1, y1))) = P

  22. Elliptic Curve ElGamal

  23. Security and Speed • Why is this secure? • Same type of inverse modular problem (elliptic curve logarithm problem) • No simple way to determine d from (x1, y1)and (x2, y2) without trying all possible values • Computationally secure as long as p large enough to prevent this (2160 for example) • Why is this fast? • Only uses addition and multiplication – no exponents!

  24. Elliptic Curves over GF(2n) • Represent points as polynomials {0, 1, g, g2, g3…}mod some irreducible polynomial in GF(2n) • Sort of like GF in AES • Added security • Slightly different equation used: y2 + xy = x3 + ax2 + b • Example: GF(23) using x3 + x + 1 as mod

  25. Elliptic Curves over GF(2n) • Points on elliptic curvey2 + xy = x3 + ax2 + b for a = g3 and b = 1

More Related