1 / 75

Elliptic Curve Cryptography

Outline. I. Elliptic curvesII. Elliptic curve cryptosystemsIII. Advantages and disadvantagesIV. Standardization efforts. Notation. GF(q) or Fq: finite field with q elementstypically, q = p where p is prime, or 2mE(Fq): elliptic curve over Fq(x, y): point on E(Fq)O: point at infinity. Acronyms.

zeal
Download Presentation

Elliptic Curve Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Elliptic Curve Cryptography Burt Kaliski Chief Scientist and Director RSA Laboratories

    2. Outline I. Elliptic curves II. Elliptic curve cryptosystems III. Advantages and disadvantages IV. Standardization efforts

    3. Notation GF(q) or Fq: finite field with q elements typically, q = p where p is prime, or 2m E(Fq): elliptic curve over Fq (x, y): point on E(Fq) O: point at infinity

    4. Acronyms EC = Elliptic Curve as in EC Digital Signature Algorithm ECC = Elliptic Curve Cryptography

    5. Part I: Elliptic Curves

    6. Elliptic Curves An elliptic curve is the set of solutions (x, y) to an equation of the form y2 = x3 + ax + b where 4a3 + 27b2 ? 0, together with a point at infinity denoted O Originally developed to measure circumference of an ellipse

    7. An Example Curve Over the reals, the solutions form a curve with one or two components Example: y2 = x3-x

    8. Elliptic Curve Arithmetic A group law may be defined where the sum of two points is the reflection across the x-axis of the third point on the same line “Chords and tangents”

    9. Group Law Axioms Closure Identity: P + O = O + P = P Inverse: (x, y) + (x, -y) = O Associativity Commutativity

    10. Addition Formulae Let P1 = (x1, y1) and P2 = (x2, y2) be non-inverses Then P1 + P2 = (x3, y3) where x3 = ?2 - x1 - x2 y3 = ? (x1 - x3) - y1 and ? is the slope of the line: ? = (3x12+a)/2y1 if x1 = x2 ? = (y2-y1)/(x2-x1) otherwise

    11. Elliptic Curves over Finite Fields An elliptic curve may be defined over any finite field GF(q) For GF(2m), the curve has a different form: y2 + xy = x3 + ax2 + b where b ? 0 Addition formulae are similar to those over the reals

    12. Group Properties Let #E(Fq) denote the number of points on an elliptic curve E(Fq), including O Hasse bound: #E(Fq) = q+1-t, where |t| ? 2 sqrt(q) The group of points is either cyclic or a product of two cyclic groups

    13. Scalar Multiplication Scalar multiplication is repeated group addition: cP = P + ··· + P (c times) where c is an integer For all P ? E(Fq), nP = O where n = #E(Fq)

    14. Elliptic Curve Research Areas EC over finite fields has been an increasing focus of research 1. Efficient elliptic curve arithmetic, scalar multiplication including finite field arithmetic 2. Efficient curve generation 3. Cryptographic properties

    15. Some Interesting Applications Factoring (Lenstra 1985) running time of Elliptic Curve Method (ECM) depends on size of prime factors of a number, ideal for “smooth” numbers Primality proving (Goldwasser-Kilian 1986) under number-theory assumptions, method for proving primality in random polynomial time Fermat’s Last Theorem

    16. Analogy with Multiplicative Groups

    17. Part II: Elliptic Curve Cryptosystems

    18. Elliptic Curve Cryptosystems EC discrete logarithm problem Domain parameters Key pairs Cryptographic schemes

    19. EC Discrete Logarithm Problem Problem: Given two points W, G, find s such that W = sG first suggested by Miller 1985, Koblitz 1987 With appropriate cryptographic restrictions, this is believed to take exponential time O(sqrt(r)) time, where r is the order of W

    20. EC Discrete Logarithm Problem (cont’d) By comparison, factoring and ordinary discrete logarithms can be solved in subexponential time ECC thus offers much shorter key sizes than other public-key cryptosystems

    21. Typical Cryptographic Restrictions #E(Fq) = kr for large prime r k is cofactor GCD (k, r) = 1 “Anomalous” condition: r ? q MOV condition: r does not divide qi-1 for small i

    22. Domain Parameters Common values shared by a group of users from which key pairs may be generated User or trusted party may generate domain parameters Anyone may validate domain parameters

    23. EC Domain Parameters Finite field Fq Elliptic curve E(Fq) with cryptographic restrictions Prime divisor r of #E(Fq) Cofactor k Base point G ? E(Fq) of order r

    24. Generating EC Domain Parameters 1. Select a prime power q 2. Select an elliptic cuve E over Fq with cryptographic restrictions order #E(Fq) = kr 3. Generate a point G of order r 4. Output Fq, E(Fq), r, k, G

    25. Selecting an Elliptic Curve Random method Complex multiplication method Subfield method Methods provide tradeoff between speed, “structure” in curves less structure = more conservative in assumptions about security

    26. Random Method 1. Generate a random curve 2. Count the number of points #E(Fq) 3. If restrictions not met, goto 1 No structure, but step 2 may be slow (Schoof 1985, etc.)

    27. Complex Multiplication Method 1. Generate a curve order n with a small CM discriminant D 2. If restrictions not met, goto 1 3. Given D, find a curve with n points Fast, some structure, but complex (Atkin-Morain 1991, Lay-Zimmer 1994)

    28. Subfield Method For q = 2m with m composite 1. Generate a curve over a subfield 2. Count the number of points 3. Apply formula to compute #E(Fq) 4. If restrictions not met, goto 1 Fast, but significant structure (Koblitz)

    29. Generating a Point of Order r 1. Generate a point H ? E(Fq) 2. Compute G = kH 3. If G = O, goto 1 4. Output G

    30. Validating EC Domain Parameters 1. Check that q is a prime power 2. Check that E is an elliptic curve over Fq with cryptographic restrictions order #E(Fq) = kr, where r is prime 3. Check that G is a point on E(Fq) of order r 4. Output valid if all checks pass, invalid otherwise

    31. Key Pairs Pairs of public, private values with which users may perform cryptographic operations User or trusted third party may generate key pair Anyone may validate public key

    32. EC Key Pairs Public key W ? E(Fq) Private key s ? [1, r-1] where W = sG

    33. Generating an EC Key Pair 1. Randomly generate s ? [1, n-1] 2. Compute W = sG 3. Output (W, s)

    34. Validating an EC Public Key Assume valid domain parameters 1. Check that W is a point on E(Fq) of order r 2. Output valid if so, invalid otherwise

    35. Cryptographic Schemes Following general model from IEEE P1363, a scheme is a set of related operations providing the building blocks for a protocol Examples: key agreement signature with appendix encryption

    36. Scheme Operations Depending on the scheme, related operations may include: domain parameter generation, validation key pair generation, public-key validation one or more scheme-specific operations

    37. Key Agreement Scheme Key agreement operation derives a shared secret key from a private key, another’s public key, and key derivation parameters Multiple secret keys can be obtained by varying parameters

    38. Elliptic Curve Diffie-Hellman Key agreement scheme based on Diffie-Hellman protocol In IEEE P1363, ECKAS-DH1 with ECSDVP-DH primitive Underlying function: KDF: key derivation function

    39. ECDH Key Agreement Input: private key s, other’s public key W*, key derivation parameters P Output: shared secret key K 1. Compute Z = sW* 2. Compute K = KDF (Z, P) 3. Output K

    40. Key Agreement Modes Each key pair may be ephemeral, authenticated, or a combination, depending on security goals Examples of protocol modes: anonymous static-static signed ephemeral-ephemeral ephemeral-static

    41. Signature Scheme Signature generation operation computes a signature on a message with a private key Signature verification operation verifies a signature with a public key

    42. Elliptic Curve Digital Signature Algorithm Signature scheme based on NIST FIPS 186-1 DSA In IEEE P1363, ECSSA with ECSP/VP-DSA primitives Underlying function Hash: collision-resistant hash function

    43. ECDSA Signature Generation Input: private key s, message M Output: signature (c,d) 1. Compute f = Hash (M) 2. Generate a one-time key pair (u, V) 3. Compute c = int (xV) mod r 4. Compute d = u-1(f + sc) mod r 5. If c = 0 or d = 0, goto 2 6. Output (c,d)

    44. ECDSA Signature Verification Input: signer’s public key W, message M, signature (c,d) Output: valid or invalid 1. Compute f = Hash (M) 2. Check that 1 ? c,d ? r-1 3. Compute h = d-1 mod r 4. Compute P = fhG + chW (cont’d)

    45. ECDSA Signature Verification (cont’d) 5. Check that P ? O 6. Check that c = int (xP) mod r 7. If all checks pass, output valid, otherwise output invalid

    46. Encryption Scheme Encryption operation computes a ciphertext from a message with a public key Decryption operation recovers a message from a ciphertext with a private key Augmented encryption scheme also binds control information to message

    47. Elliptic Curve Augmented Encryption Scheme Augmented encryption scheme based on DHAES (Bellare-Rogaway 1998) In ANSI X9.63 draft Underlying functions: KDF: key derivation function Encrypt: symmetric encryption MAC: message authentication code

    48. ECAES Encryption Input: recipient’s public key W, message M, control information P Output: ciphertext (V,C,T) 1. Generate a one-time key pair (u,V) 2. Compute Z = uW 3. Compute (K1,K2) = KDF (Z) (cont’d)

    49. ECAES Encryption (cont’d) 4. Compute C = Encrypt (K1,M) 5. Compute T = MAC (K2,C || P) 6. Output (V,C,T) Note: Steps 1–3 are like ECDH ephemeral-static

    50. ECAES Decryption Input: private key s, ciphertext (V,C,T), control information P Output: message M or invalid 1. Compute Z = sV 2. Compute (K1,K2) = KDF (Z) (cont’d)

    51. ECAES Decryption (cont’d) 3. Compute M = Decrypt (K1,C) 4. Check that T = MAC (K2,C || P) 5. If the check passes, output M, otherwise output invalid

    52. Some Observations In these schemes, only one or two steps are EC operations, some are modular arithmetic, the rest are Hash, KDF, Encrypt, MAC the additional operations help provide provable security Schemes are readily adapated to multiplicative groups

    53. Part III: Advantages and Disadvantages

    54. Advantages and Disadvantages Three families Key size comparison Advantages Disadvantages

    55. Three Families Today, three families of public-key techniques are prominent Following P1363, named according to the hard problem: DL: (ordinary) discrete logarithms EC: elliptic curve discrete logarithms IF: integer factorization Each has its own advantages

    56. Key Size Comparison Key size is length in bits of: DL: field order q also consider group order r EC: group order r IF: modulus n Key sizes can be compared based on running time for solving hard problem with current methods other factors to consider

    57. Comparable Key Sizes (Based on Running Time)

    58. Advantages Alternative hard problem Speed Data size New types of schemes Many options

    59. Alternative Hard Problem EC Discrete Logarithm Problem is very different than DL, IF hard problems does not appear feasible to apply DL, IF approaches to solve it Thus, it is an effective alternative against advances in methods for other problems

    60. Speed EC operations are generally faster than DL, IF counterparts at comparable key sizes GF(2m) arithmetic affords further speedups Key pair generation is much faster than for IF

    61. Data Size EC data are shorter than DL, IF counterparts Intermediate values are shorter Keys are shorter benefit depends on certificate content Signatures with appendix are same size as for DL, shorter than IF

    62. New Types of Schemes EC family, like DL, has great flexibility due to the availability of common domain parameters Multiple schemes can be combined efficiently, e.g.: signature + encryption signature / key agreement + certification (Zheng 1997, Arazi 1998, Vanstone)

    63. Many Options EC family affords many choices: field type, size, representation curve formula group order base point cryptographic scheme Appropriate choices can meet varying security and implementation objectives

    64. Disadvantages Alternative hard problem Curve generation Many options

    65. Alternative Hard Problem ECDLP has not been studied as long as DL, IF hard problems, and even a modest improvement in methods could have great impact However, the focus on this area has grown considerably over the past few years, with increased confidence

    66. Curve Generation EC curve generation is complex, not readily implemented However, implementers can rely on third parties for curves, which can be validated e.g., NIST curves

    67. Many Options ECC affords many options, so interoperability is challenging: no conversion between GF(2m), GF(p) hardware optimizations may be specific to one set of domain parameters However, much of this will be settled by standards and industry practice

    68. Part IV: Standardization Efforts

    69. Standardization Efforts Elliptic curves are parts of standards being developed by several groups: ANSI X9F1 IEEE P1363 ISO JTC1 SC27 SECG U.S. NIST Generally, all three families are being developed together

    70. ANSI X9F1 Cryptographic techniques for U.S. financial services industry ANSI X9.62 specifies ECDSA ANSI X9.63 (draft) specifies ECDH, ECAES and more Technical Guideline on elliptic curve mathematics www.x9.org

    71. IEEE P1363 Public-key cryptography specifications, transnational Specifies ECDH, ECDSA and much more (including other families) framework for ANSI X9F1 work ECAES proposed for addendum grouper.ieee.org/groups/1363

    72. ISO SC27 IT security techniques, international ISO/IEC DIS 14888-3 includes ECDSA aligned with ANSI X9.62 ISO/IEC CD 15946 covers elliptic curve techniques including digital signatures, key establishment www.iso.ch/meme/JTC1SC27.html

    73. SECG Standards for Efficient Cryptography Group Industry implementers agreements, intended to profile other standards www.secg.org

    74. U.S. NIST Information processing for U.S. government FIPS 186 (Digital Signature Standard) to add support for ANSI X9.62 Eventual ANSI X9.63 support likely Reference elliptic curves published csrc.nist.gov/fips

    75. Summary

    76. Summary ECC offers an attractive alternative to other public-key cryptosystems new hard problem smaller key size Many standards are emerging Number theory continues to be useful

More Related