1 / 26

General Attacks on Elliptic Curve Based Cryptosystems

General Attacks on Elliptic Curve Based Cryptosystems. Merabi Chicvashvili Ron Ryvchin Project Advisor: Barukh Ziv Spring 2014. Elliptic Curves. Point addition can be defined geometrically and algebraically. Algebraic Approach. Point Addition R = P + Q

dariust
Télécharger la présentation

General Attacks on Elliptic Curve Based Cryptosystems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. General Attacks on Elliptic Curve Based Cryptosystems MerabiChicvashvili Ron Ryvchin Project Advisor: Barukh Ziv Spring 2014

  2. Elliptic Curves • Point addition can be defined geometrically and algebraically

  3. Algebraic Approach • Point Addition • R = P + Q • s = (Py – Qy) / (Px – Qx) • Rx = s2 – Px – Qx • Ry = s*(Px – Rx) - Py • Point Doubling • R = 2·P • s = (3·Px2 + a) / (2·Py) • Rx = s2 – 2·Px • Ry = s*(Px – Rx) - Py

  4. Cryptography with Elliptic Curves

  5. Elliptic Curve Encryption

  6. Attacking ECC • Best possible way is a ‘collision attack’ known as Pollard’s rho attack ,taking O(n1/2) curve additions, where n is the order of the base point • The Pohlig-Hellman algorithm reduces the size of the problem. • ECDLP is reduced to ECDLP modulo each prime factor of n • As field size increases, the attack becomes harder at an exponential rate • ECC key of 163 bits is equivalent to RSA key of 1024 bits • ECC key of 256 bits is equivalent to RSA key of 3072 bits

  7. Pollard rho Algorithm

  8. Pollard rho Algorithm

  9. Additive walks

  10. Cycle detection

  11. Performance Analysis - Speed • Attack performance dependents on: • Field arithmetic speed – provided by NTL library • Curve arithmetic speed – selection of coordinates • Algorithmic level – partition function, cycle detection

  12. Performance Analysis – additive walk and partition function

  13. Performance Analysis - coordinates • Affine point addition: • 1 squaring, 2 multiplications, 1 inverse • Inverse is expensive! • Jacobian coordinates: x, y, z • Jacobian point addition: • 12 squarings, 4 multiplications, no inverse!

  14. Performance Analysis - coordinates

  15. Performance Analysis – cycle detection • Brent’s cycle detection algorithm does less function evaluations than Floyd’s. In his work Brent claims that his algorithm improved Pollard Rho performance by 24%, on average. • Brent’s algorithm counts number of steps. At the end, we know the length of the cycle. • We used this counter to improve the algorithm for some cases of “rho” shape, staying with O(1) space complexity

  16. Performance Analysis – cycle detection “Perfect” cycle detection: • Tail = 2i - 1 • Cycle = 2i • No redundant steps

  17. Performance Analysis – cycle detection “Worse” case: • Tail = 2i • Cycle = 2i -1 • Same number of steps to collision • The algorithm does (tail-1) + 2i + cycle steps • Redundant steps: ~50%

  18. Performance Analysis – cycle detection Worst case 1: • Very short or no tail • An iteration finishes just one step short of the possible collision point • Could finish in about 2i steps, will take twice more Worst case 2: … • After finishing the tail in ~2i steps, we waste the same number of steps before we get the first green point on the cycle

  19. Performance Analysis – cycle detection “Middle point” improvement: • Remember the point after 2i-1 steps • Compare new points to both last “green” and “yellow” • Collision found after (tail – 1) + 2i-1 + cycle steps • Saving: 2i-1, which is ~1/6th of the original result • The saving is up to 1/4th • Experimental measurements: ~50% of attacks were shortened, for each challenge (key size) there was an attack that found middle point collision, speedup: 14-24%

  20. Results • Previous best results: 64 bits challenge in ~16 hours (1,993,844,576 function calls) • Our best result: • 64 bits in ~42 minutes (436,215,366 function calls) • 70 bits in ~5 hours (4,924,092,173 function calls)

  21. Full Results

  22. Special Challenge

  23. Special Challenge

  24. Special Challenge

  25. Special Challenge • Since the order of the curve is not a prime number we applied Pohlig-Hellman reduction to this challenge. • Although n is large, its largest prime factor is 28202267. • The whole attack finished in about 3 minutes.

  26. Bibliography • V. Shoup, "NTL: A Library for doing Number Theory" http://www.shoup.net/ntl/ • Darrel Hankerson, Alfred Menezes, Scott Vanstone, “Guide to Elliptic Curve Cryptography”. • I. Duursma, P. Gaudry, and F. Morain, “Speeding up the Discrete Log Computation on Curves with Automorphisms” • R´obertL´orencz, “New Algorithm for Classical Modular Inverse”.

More Related