1 / 36

Elliptic Curves in Cryptography

Elliptic Curves in Cryptography. Ipsita Sahoo 10IT61B05 School of Information Technology IIT Kharagpur October 29, 2011 . Outline. Introduction Background of Public Key Cryptosystem Definition of Elliptic Curves Elliptic Curve on Finite Fields What is Elliptic Curve Cryptography?

toya
Télécharger la présentation

Elliptic Curves in Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Elliptic Curves in Cryptography IpsitaSahoo 10IT61B05 School of Information Technology IIT Kharagpur October 29, 2011

  2. Outline • Introduction • Background of Public Key Cryptosystem • Definition of Elliptic Curves • Elliptic Curve on Finite Fields • What is Elliptic Curve Cryptography? • Elliptic Curve Key Pairs • ECDH • ECDSA • Comparable key sizes • Advantages and Disadvantages of ECC • Applications • Summary • References

  3. Introduction • The use of elliptic curves in cryptography was suggested by Neal Koblitz and Victor S. Miller in 1985. • The Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. • Security of Public-key Cryptography depends on the difficulty of solving the hard problems defined in complexity Theory.

  4. For Elliptic curve based protocols, it is assumed that finding the discrete logarithm of an elliptic curve element is infeasible. The size of the elliptic curve determines the difficulty of the problem. • Over the past few years elliptic curve cryptography has been gaining popularity and being standardized around the world by agencies such as ANSI,IEEE and ISO.

  5. Background of Public Key Cryptosystem • The cryptosystems based on following mathematical problems are considered secure and efficient: • Integer Factorization Problem(IFP) Examples are RSA, Rabin-Williams • Discrete Logarithm Problem(DLP) DSA, Diffie-Hellman and MQV key agreement scheme, the ElGamal encryption and signature scheme etc. • Elliptic Curve Discrete Logarithm Problem(ECDLP) ECDSA, Elliptic Curve Diffie-Hellman & elliptic curve MQV key agreement schemes the ElGamal encryption and signature scheme etc.

  6. Since 1985, ECC has received intense security from cryptographers, mathematicians, and computer scientists around the world. On the other hand, the fact that no significant weaknesses have been found so as a result high confidence in the security of ECC. • ECC has become more attractive rather than RSA and DSA.

  7. Definition of Elliptic curves • The General equation for an elliptic curve as all points on the curve is: y2+b1xy+b2y=x3+a1x2+a2x+a3 • Elliptic curves over real number use a special case of elliptic curves of the form: y2 = x3+ax+b where the coefficients ‘a’ and ‘b’ are elements of the field and satisfies equation 4a3+27b2 ≠ 0, to represent nonsingular elliptic curve. Each value of ‘a’ and ‘b’ gives different elliptic curve. • An equation of this kind can be studied over various mathematical structures, such as a ring or a field.

  8. An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with a rational point (which may be a point at infinity). • The field K is usually taken to be the complex numbers, reals, rationals, algebraic extensions of rationals, or a finite field. • One interesting property of set of solutions of elliptic curve is that it forms a group which enables us to do Cryptography. The public key is a point in curve and private key is a random number. The public key is obtained by multiplying the private key with the generator point G in the curve. • Elliptic curves groups for cryptography are examined with the underlying finite fields of GF(p) (where p>3 is a prime) and GF(2n) (a binary representation with 2n elements).

  9. Graphical Representation • Elliptic curve over a real field with a = -4 and b = 0 equation: y2 = x3 - 4x The equation is non-singular with three real roots.

  10. Point addition • Point addition is the addition of two points P and Q on an elliptic curve to obtain another point R on the same elliptic curve.

  11. Where, and is the slop of the line and is given by following formula:

  12. Point Doubling • Point doubling is the addition of a point P on the elliptic curve to itself to obtain another point R on the same elliptic curve.

  13. Point Multiplication • In point multiplication a point P on the elliptic curve is multiplied with a scalar k using elliptic curve equation to obtained another point Q on the same elliptic curve. i.e. Q = kP • Point multiplication is achieved by adding the point P to itself k times. • Point multiplication is also achieved by two basic elliptic curve operations 1. Point addition 2. point doubling • For example if k= 11 then kP=11.P=2(2(2P)+P)+P

  14. The Abelian Group • An abelian group using points on elliptic curve E can be defined with two points P, Q in E and the third point denoted by R (R=P+Q) on E, then following relations hold for all P, Q, R in E: • Closure: R = P+Q and R = P+P • Associativity: (P+Q)+R = P+(Q+R) • Commutativity: P+Q = Q+P • Existence of an identity element: P+O = O+P = P • Existence of inverses: there exists (-P) such that, -P+P = P+(-P) = O

  15. Elliptic Curve on Finite Field • To make operations on elliptic curve accurate and more efficient, the elliptic curve cryptography is defined over two finite fields. • Prime field GF(p) • Binary field GF(2n) • The field is chosen with finitely large number of points suited for cryptographic operations.

  16. Elliptic Curve over GF(p) • Let GF(p) be a finite field, p > 3, and let a, b  GF(p) are constant such that 4a3 + 27b2 (mod p) ≠ 0 (mod p). • An elliptic curve, Ep(a,b), is defined as the set of points (x,y)  GF(p) which satisfy the equation y2 x3 + ax + b (mod p) Here the elements of the finite field are integers between 0 and p-1. All the operations such as addition, subtraction, division, multiplication involves integers between 0 and p-1. • This finite group with a special point, O, called the point at infinity or Zero point. • The prime number p is chosen such that there is finitely large number of points on the elliptic curve to make the cryptosystem secure. Standards for Efficient Cryptography (SEC) specifies curves with p ranging between 112-512 bits.

  17. Algebraic Rules for Prime Fields GF(p) • P and Q be two points on Ep(a,b) and O is the point at infinity. • If P = (x1,y1) then -P = (x1 ,-y1) and P + (-P) = O. Here -y1 is the additive inverse of y1. • If P = (x1,y1) and Q = (x2,y2), and P and Q are not O. then P +Q = (x3 ,y3) where   x3 = 2 - x1 - x2 y3 = (x1 - x3) - y1 and  = (y2-y1)/(x2-x1) if P ≠ Q  = (3x12+a)/ 2y1 if P = Q

  18. Elliptic Curve over GF(2n) for some n 1 • Elliptic curve Ep(a,b) is defined to be the set of points (x,y)  GF(2n) which satisfy the equation y2 + xy = x3 + ax2 + b where x, y  GF(2n) and b≠0, together with the point on the curve at infinity, O. • The points on an elliptic curve form an abelian group under a well defined group operation. The identity of the group operation is the point O.

  19. Algebraic Rules for Binary field GF(2n) • The rules for adding points in GF(2n) is slightly different from the rules for GF(p). • In finding inverse If P=(x, y), then –P=(x, x + y) • If P = (x1,y1) and Q = (x2,y2), and P and Q are not O. then P +Q = (x3 ,y3), where x3 = 2+ +x1+x2+a y3 = (x1 + x3) + x3 + y1 and  = (y1+y2)/(x1+x2) if P ≠ Q • If Q=P, then R=P+P (or R=2P) can be found as x3 = 2 +  + a y3 =x12 + (+1) x3 and  = (x1 y1 + x1)/ y1 if P = Q

  20. What Is Elliptic Curve Cryptography (ECC)? • Elliptic curve cryptography (ECC])is a public-key cryptosystem just like RSA, Rabin, and ElGamal. • Every user has a public and a private key. • Public key is used for encryption/signature verification. • Private key is used for decryption/signature generation. • Elliptic curves are used as an extension to other current cryptosystems. • Elliptic Curve Diffie-Hellman Key Exchange • Elliptic Curve Digital Signature Algorithm

  21. Elliptic Curve Cryptosystem • Majority of public key cryptosystems (RSA,DH) use either integer or polynomial arithmetic with very large numbers/polynomials. • Imposes a significant load in storing and processing keys and messages. • The security of ECC depends on the difficulty of Elliptic Curve Discrete Logarithm problem. Let P and Q be two points on an elliptic curve such that kp=Q, where k is scalar. Given P and Q , it is computationally infeasible to obtain k, if k is sufficiently large. K is the discrete logarithm of Q to the base P. • All operations are performed over a Galois Field. So, results of kP seem rather “random”

  22. ECC Domain Parameters • ECC domain parameters[1] over GF(p), are a sextuple :  T = (p, a, b, G, n, h) • p is the prime number defined for finite field GF(p). • a and b  GF(p) defining the curve y2 x3 + ax + b (mod p) for p > 3 y2 + xy = x3 + ax2 + b for 2n where n 1 • G is the generator point or base point (xG,yG) on Ep(a,b) • n a prime which is the order of G (The order of a point P on an elliptic curve is the smallest positive integer r such that rP = O.) • An integer h which is the cofactor h = # Ep(a,b) /n. where # Ep(a,b) represents number of points on elliptic curve and is called the curve order.

  23. Elliptic Curve Key Pair Generation • An elliptic curve key pair(d, Q) associated with T consists of an elliptic curve secret key d , and an elliptic curve public key Q= (xQ, yQ) . • Elliptic curve key pairs should be generated [2] as follows: Input: Valid elliptic curve domain parameters T= ( p, a, b, G, n, h) Output: An elliptic curve key pair(d, Q) associated with T . Actions: Generate an elliptic curve key pair as follows: 1. Randomly select an integer d in the interval[1,n 1]. 2. Calculate Q= dG. 3. Output(d, Q).

  24. Elliptic Curve Public Key Validation Input:Valid elliptic curve domain parameters T= ( p, a, b, G, n, h) and an elliptic curve public key Q= (xQ, yQ) associated with T . Output: An indication of whether the elliptic curve public key is valid or not — either ‘valid’ or ‘invalid’. Actions: Validate[2] the elliptic curve public key as follows: 1. Check that Q ≠ O. 2. If T represents elliptic curve domain parameters over GF(p), check that xQ and yQ are integers in the range[1, p-1], and that: yQ2 xQ3 + axQ + b (mod p) 3. Check that nQ= O. 4. If any of the checks fail, output ‘invalid’, otherwise output ‘valid’.

  25. ECDH – Elliptic Curve Diffie Hellman • ECDH is a key agreement protocol that allows two parties to establish a shared secret key that can be used as a private key for encryption algorithms. • Both parties exchange some public information to each other, Using this public data and their own private data these parties calculates the shared secret key. Any third party, who doesn’t have access to the private details of each device, will not able to calculate the shared secret from the available public information. • For generating a shared secret between A and B using ECDH, both have to agree up on Elliptic Curve domain parameters.

  26. ECDH contd… • Both end have a key pair consisting of a private key d (a randomly selected integer less than n) and a public key Q = d * G (G is the generator point). • Let (dA, QA) be the private and public key pair of A and (dB, QB) be the private and public key pair of B • The end A computers K = (xK, yK) = dA * QB • The end B computes L = (xL, yL) = dB * QA • Since dAQB = dA dB G = dBQA , therefore K = L and hence xK = xL • Hence the shared secret is xK • It is practically impossible to find the private key dA or dB form the public keyK or L, its not possible to obtain the shared secret for a third party.

  27. ECDSA - Elliptic Curve Digital Signature Algorithm • Used for authenticating a device or message sent by the device • Signature Generation: To sign a message m, an entity A with domain parameters (p, Ep(a,b), G, n) and associated key pair (x, Q) does the following: • Select an integer k such that 1 ≤ k ≤ n-1 • Compute kQ = (x1, y1) • Compute r = x1 (mod n). If r = 0 then go to step 1 • Compute k-1 (mod n) • Compute SHA-1(m) and convert this string to an integer H(m) • Compute s = k-1 (H(m )+ xr ) (mod n). If s = 0, then go to step 1 • A’s signature for the message m is (r, s)

  28. ECDSA contd… • Signature Verification: To verify A’s signature (r, s) on m, B obtains an authentic copy of A’s domain parameter (p, Ep(a,b), G, n) and associated public key Q. B then does the following: • Verify that r and s are integers in the interval [1, n-1] • Compute SHA-1(m) and convert this string to an integer H(m) • Compute w = s (mod n) • Compute u = H(m) w (mod n) and u = rw (mod n) • Compute X = (x2, y2) = u1G + u2Q • If X = O, then reject the signature. Otherwise, compute v = x (mod n) • Accept the signature if and only if v = r

  29. Comparable Key Sizes (based on running time) • ECC, DSA and RSA key length comparisons[5] done by Lopez and Dahab in May 2000.

  30. RSA vs ECC Figure from [3]

  31. Advantages of ECC • Alternative hard problem • Speed • Data size • New types of schemes • Many options

  32. Disadvantages of ECC • Alternative hard problem • Curve generation • Many options

  33. Applications of ECC • Wireless communication devices • Smart cards • Web servers that need to handle many encryption sessions • Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems

  34. Summary of Elliptic Curves in Cryptography • ECC offers an attractive alternative to other public-key cryptosystems • new hard problem (analogous to discrete log) Q=kP, where Q,P belong to a prime curve given k,P “easy” to compute Q given Q,P  “hard” to find k , known as the elliptic curve logarithm problem (k must be large enough) • ECC security relies on elliptic curve logarithm problem • smaller key size compare with RSA etc. • for similar security ECC offers significant computational advantages

  35. References • [1] http://www.secg.org/collateral/sec2_final.pdf • [2] http://www.secg.org/collateral/sec1_final.pdf • [3] “The Basics of ECC”, http://www.certicom.com • [4] http://mathworld.wolfram.com/EllipticCurve.html • [5] An Overview of Elliptic Curve Cryptography by Julio Lopez and Richard Dahab May 2000. http://citeseer.ist.psu.edu/lop00overview.html • [6] http://www.dkrypt.com/home/ecc • [7] Cryptography and Network Security principles and practices by William Stallings 4th edition, Prentice-Hall of India

  36. THANK YOU

More Related