260 likes | 264 Vues
General Attacks on Elliptic Curve Based Cryptosystems. Merabi Chicvashvili Ron Ryvchin Project Advisor: Barukh Ziv Spring 2014. Elliptic Curves. Point addition can be defined geometrically and algebraically. Algebraic Approach. Point Addition R = P + Q
E N D
General Attacks on Elliptic Curve Based Cryptosystems MerabiChicvashvili Ron Ryvchin Project Advisor: Barukh Ziv Spring 2014
Elliptic Curves • Point addition can be defined geometrically and algebraically
Algebraic Approach • Point Addition • R = P + Q • s = (Py – Qy) / (Px – Qx) • Rx = s2 – Px – Qx • Ry = s*(Px – Rx) - Py • Point Doubling • R = 2·P • s = (3·Px2 + a) / (2·Py) • Rx = s2 – 2·Px • Ry = s*(Px – Rx) - Py
Attacking ECC • Best possible way is a ‘collision attack’ known as Pollard’s rho attack ,taking O(n1/2) curve additions, where n is the order of the base point • The Pohlig-Hellman algorithm reduces the size of the problem. • ECDLP is reduced to ECDLP modulo each prime factor of n • As field size increases, the attack becomes harder at an exponential rate • ECC key of 163 bits is equivalent to RSA key of 1024 bits • ECC key of 256 bits is equivalent to RSA key of 3072 bits
Performance Analysis - Speed • Attack performance dependents on: • Field arithmetic speed – provided by NTL library • Curve arithmetic speed – selection of coordinates • Algorithmic level – partition function, cycle detection
Performance Analysis - coordinates • Affine point addition: • 1 squaring, 2 multiplications, 1 inverse • Inverse is expensive! • Jacobian coordinates: x, y, z • Jacobian point addition: • 12 squarings, 4 multiplications, no inverse!
Performance Analysis – cycle detection • Brent’s cycle detection algorithm does less function evaluations than Floyd’s. In his work Brent claims that his algorithm improved Pollard Rho performance by 24%, on average. • Brent’s algorithm counts number of steps. At the end, we know the length of the cycle. • We used this counter to improve the algorithm for some cases of “rho” shape, staying with O(1) space complexity
Performance Analysis – cycle detection “Perfect” cycle detection: • Tail = 2i - 1 • Cycle = 2i • No redundant steps
Performance Analysis – cycle detection “Worse” case: • Tail = 2i • Cycle = 2i -1 • Same number of steps to collision • The algorithm does (tail-1) + 2i + cycle steps • Redundant steps: ~50%
Performance Analysis – cycle detection Worst case 1: • Very short or no tail • An iteration finishes just one step short of the possible collision point • Could finish in about 2i steps, will take twice more Worst case 2: … • After finishing the tail in ~2i steps, we waste the same number of steps before we get the first green point on the cycle
Performance Analysis – cycle detection “Middle point” improvement: • Remember the point after 2i-1 steps • Compare new points to both last “green” and “yellow” • Collision found after (tail – 1) + 2i-1 + cycle steps • Saving: 2i-1, which is ~1/6th of the original result • The saving is up to 1/4th • Experimental measurements: ~50% of attacks were shortened, for each challenge (key size) there was an attack that found middle point collision, speedup: 14-24%
Results • Previous best results: 64 bits challenge in ~16 hours (1,993,844,576 function calls) • Our best result: • 64 bits in ~42 minutes (436,215,366 function calls) • 70 bits in ~5 hours (4,924,092,173 function calls)
Special Challenge • Since the order of the curve is not a prime number we applied Pohlig-Hellman reduction to this challenge. • Although n is large, its largest prime factor is 28202267. • The whole attack finished in about 3 minutes.
Bibliography • V. Shoup, "NTL: A Library for doing Number Theory" http://www.shoup.net/ntl/ • Darrel Hankerson, Alfred Menezes, Scott Vanstone, “Guide to Elliptic Curve Cryptography”. • I. Duursma, P. Gaudry, and F. Morain, “Speeding up the Discrete Log Computation on Curves with Automorphisms” • R´obertL´orencz, “New Algorithm for Classical Modular Inverse”.