discrete math iiinfosec.pusan.ac.kr/.../2019/03/2-2.security-protocols-ecc_ver1.pdf · an elliptic...

지능형사물인터넷시스템- Elliptic Curve Cryptography-

Howon Kim

2019. 3

Introduction to Elliptic Curves

2

Graphical Representation

X axis

Y axis

Curves of this nature

are called elliptic curves

3

Elliptic Curve (EC) systems as applied to cryptography were first proposed in 1985 independently by Neal Koblitz and Victor Miller.

The discrete logarithm problem on elliptic curve groups is believed to be more difficult than the corresponding problem in(the multiplicative group of nonzero elements of) the underlying finite field.

Elliptic Curves in Cryptography

4

Discrete Logarithms in Finite Fields

Alice Bob

Pick secret, random X from F

Pick secret, random Y from F

gy mod p

gx mod p

Compute k=(gy)x=gxy mod p Compute k=(gx)y=gxy mod p

Eve has to compute gxy from gx and gy without knowing x and y…

She faces the Discrete Logarithm Problem in finite fields

F={1,2,3,…,p-1}

5

Ref) Discrete Logarithm Problem

6

Discrete Logarithm Problem

Let be any group, written multiplicatively for the moment, and let

Suppose we know that for some integer

In this context, the DLP is again to find .

could be the multiplicative g

, .

o p r u

k

G a b G

a b k

k

G

* of a finite field.

Also, could be for some elliptic curve, in which case and are points on

and we are trying to find an integer with

( )

.

q

q

F

G E F a b E

k ka b

Consider y2 = x3 + 2x + 3(mod 5)

x = 0 y2 = 3 no solution (mod 5)

x = 1 y2 = 6 = 1 y = 1,4 (mod 5)

x = 2 y2 = 15 = 0 y = 0 (mod 5)

x = 3 y2 = 36 = 1 y = 1,4 (mod 5)

x = 4 y2 = 75 = 0 y = 0 (mod 5)

Then points on the elliptic curve are

(1,1)(1,4)(2,0)(3,1)(3,4)(4,0)

and the point at infinity:

Using the finite fields we can form an Elliptic Curve Group

where we also have a DLP problem which is harder to solve…

Elliptic Curve on a finite set of Integers

7

1 2 3

2

3

4 1

1 4

0 0 0

0

0

1 2 3

2

3

4

4

0

4

0 4

3

2

3 2 1

0

0

1

0

0

0

An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with a rational point (which may be a point at infinity).

The field K is usually taken to be the complex numbers, reals, rationals, algebraic extensions of rationals, p-adic numbers, or a finite field.

Elliptic curves groups for cryptography are examined with the underlying fields of Fp (where p>3 is a prime) and F2

m (a binary representation with 2m elements).

8

Definition of Elliptic curves

An elliptic curve is a plane curve defined by an equation

of the form2 3y x Ax B

Examples

9

General form of a EC

The Elliptic curve E is the graph of an equation of the form

Generalized Weierstrass Equation of elliptic curves:

2 2 2

1 3 2 4 6y a xy a y x a x a x a

10

Weierstrass Equation

If is a field with , then we say that is defined ov r ., eK A B K E K

11

Singular Point

A singular point of an algebraic curve is a point where the curve has "nasty" behavior such

as a cusp or a point of self-intersection (when the underlying field is taken as the

reals). More formall

K

y,

if the and partial

a point ( , ) on a cu

derivatives of a

rve ( , ) 0 is singular

( ,re both zero at the point ) .

a b f x y

x y f a b

Elliptic Curve over field L

It is useful to add the point at infinity

The point is sitting at the top of the y-axis and any line is said to pass through the point when it is vertical

It is both the top and at the bottom of the y-axis

2 3( ) { } {( , ) | ... ...}E L x y L L y x

12

Points on the Elliptic Curve (EC)

P + Q = Q + P (commutativity)

(P + Q) + R = P + (Q + R) (associativity)

P + O = O + P = P (existence of an identity element)

there exists ( − P) such that − P + P = P + ( − P) = O (existence of

inverses)

13

The Abelian Group

G , ( )

( )

, , ( ).

iven two points in ,

there is a third point, denoted by on? ,

and the following relations hold for all  in

p

p

p

P Q E F

P Q E F

P Q R E F

14

Abelian Group ?

15

The Group Law

We could start with two points, or even one point, on an elliptic curve,

and produce another point.

< Adding Points on an EC >

1 2

1 2In the case

P P

x x

16

The Group Law

< Adding Points on an EC >

2 3y x Ax B

17

The Group Law

< Adding Points on an EC >

2 3y x Ax B

18

The Group Law1 2

1 2 1 2In the case but

P P

x x y y

19

The Group Law

1 2 1 1( , )P P x y

2 3y x Ax B

20

The Group Law

2P

21

The Group Law – Summary

2 1P P

22

The Abelian Group – Theorem

2 2 2

1 3 2 4 6(2.1) y a xy a y x a x a x a

x

y

1 1 2 2

3 3

( , ), ( , )

( ) ( , )

P x y Q x y

R P Q x y

y=m(x-x1)+y1

2 1

2 1

2 3

1 1

3 2 2

2

3 1 2

3 1 2 1

;

To find the intersection with E. we get

( ( ) )

,0 ...

,

( )

y ym

x x

m x x y x Ax B

or x m x

So x m x x

y m x x y

Let, P≠Q,

y2=x3+Ax+B

23

Addition in Affine Co-ordinates

Let, P=Q

What happens when P2=∞?

2

2

1

1

1 1 2

3 2 2

2

3 1 3 1 3 1

2 3

3

2

, 0 (since then P +P = ):

0 ...

2 , ( )

dyy x A

dx

dy x Am

dx y

If y

x m x

x m x y m x x y

24

Doubling of a point

21

1

2

1

21

12

12

_2

3

_

xxfory

ax

xxforxx

yy

Define for two points P (x1,y1) and

Q (x2,y2) in the Elliptic curve

Then P+Q is given by R(x3,y3) :

1133

213

)( yxxy

xxx

25

Sum of two points

P+P = 2P

Point at infinity O

As a result of the above case P=O+P

O is called the additive identity of

the elliptic curve group.

Hence all elliptic curves have an

additive identity O.

26

Introduction to Elliptic Curves

Elliptic Curve Cryptosystems

Implementation of ECC in Binary Fields

27

Agenda

28

Scalar multiplication

Elliptic Curves over Finite Fields

29

30

EC over Finite Fields

31

EC over Finite Fields

Since the sum of three roots is - (-4) 4,

the third root is 4. (3 2 4) mod 5.x x

Applications of ECC

32

Secrecy: Only B can Decrypt

the message

Authentication: Only A can

generate the encrypted message33

Public Key Cryptography

34

Public Key Cryptography

35

Public Key Cryptography

Elliptic curve cryptography [ECC] is a public-key

cryptosystem just like RSA, Rabin, and El Gamal.

Every user has a public and a private key.

Public key is used for encryption/signature verification.

Private key is used for decryption/signature generation.

Elliptic curves are used as an extension to other

current cryptosystems.

Elliptic Curve Diffie-Hellman Key Exchange

Elliptic Curve Digital Signature Algorithm

36

What is ECC?

The central part of any cryptosystem involving elliptic

curves is the elliptic group.

All public-key cryptosystems have some underlying

mathematical operation.

RSA has exponentiation (raising the message or ciphertext

to the public or private values)

ECC has point multiplication (repeated addition of two

points).

37

Using Elliptic Curves In Cryptography

38

Diffie-Hellman Key Exchange

39

Diffie-Hellman Key Exchange

40

Diffie-Hellman Key Exchange

Public: Elliptic curve and point B=(x,y) on curve

Secret: Alice’s a and Bob’s b

Alice, A Bob, B

a(x,y)

b(x,y)

Alice computes a(b(x,y))

Bob computes b(a(x,y))

These are the same since ab = ba

41

ECC Diffie-Hellman

Alice and Bob want to agree on a shared key.

Alice and Bob compute their public and private keys.

Alice

Private Key = a

Public Key = PA = a * B

Bob

Private Key = b

Public Key = PB = b * B

Alice and Bob send each other their public keys.

Both take the product of their private key and the other user’s public key.

Alice KAB = a(bB)

Bob KAB = b(aB)

Shared Secret Key = KAB = abB

42

Example – Elliptic Curve Diffie-Hellman Exchange

43

Digital Signature Algorithm

44

ECDSA

45

ECDSA

1 1 1 1Since , ( ) ( ( )( ) )s k m ax s k m axm ax G m xa G kG

How do we analyze Cryptosystems?

How difficult is the underlying problem that it is

based upon

RSA – Integer Factorization

DH – Discrete Logarithms

ECC - Elliptic Curve Discrete Logarithm problem

How do we measure difficulty?

We examine the algorithms used to solve these problems

46

Why use ECC?

To protect a 128 bit

AES key it would take a:

RSA Key Size: 3072 bits

ECC Key Size: 256 bits

How do we strengthen

RSA?

Increase the key length

Impractical?

47

Security of ECC

Many devices are small and have limited storage and computational power

Where can we apply ECC?Wireless communication devices

Smart cards

Web servers that need to handle many encryption sessions

Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems

48

Applications of ECC

Same benefits of the other cryptosystems:

confidentiality, integrity, authentication and non-

repudiation but…

Shorter key lengths

Encryption, Decryption and Signature Verification

speed up

Storage and bandwidth savings

49

Benefits of ECC

“Hard problem” analogous to discrete log Q=kP, where Q,P belong to a prime curve

given k,P “easy” to compute Q

given Q,P “hard” to find k

known as the elliptic curve logarithm problem

k must be large enough

ECC security relies on elliptic curve logarithm problem compared to factoring, can use much smaller key sizes than with RSA etc

for similar security ECC offers significant

computational advantages

50

Summary of ECC

Introduction to Elliptic Curves

Elliptic Curve Cryptosystems

Implementation of ECC in Binary Fields

51

Agenda

Implementation of ECC in Binary Fields

52

ECC

Pointmultiplication:

kP

Group operation: point add/double

Finite field arithmetic: multiplication,addition, subtraction, inversion, …

Parallelize the architectures

Level 0

Level 1

Level 2

Level 3

53

ECC Operations : Hierarchy

54

Exponentiation (xn)

55

Point (Scalar) multiplication on ECC

56

Montgomery’s ladder for Exponentiation

Ref) Handbook of Elliptic and Hyperelliptic Curve Cryptography, CH9

57

Montgomery’s ladder on ECC

Ref) Handbook of Elliptic and Hyperelliptic Curve Cryptography, CH13

At each step, one performs one addition and one doubling, which makesThis method interesting against side-channel attacks !

Input: k>0, P

Output: Q=kP

1. Set k<-(kl-1,…,k1,k0)2

2. Set P1=P, P2=2P

3. For i from l-2 to 0

If ki=1,

Set P1=P1+P2, P2=2P2

else

Set P2=P2+P1, P1=2P1

4. Return Q=P1

Invariant Property:

P=P2-P1

Question: How to implement the

Operation efficiently?

58

Montgomery’s method to perform scalar multiplication

Compute 7P

7=(111)2

Initialization:

P1=P; P2=2P

Steps:

P1=3P, P2=4P

P1=7P, P2=8P

Compute 6P

7=(110)2

Initialization:

P1=P; P2=2P

Steps:

P1=3P, P2=4P

P2=7P, P1=6P

59

Example

60

Non-adjacent form (NAF) method

Ref) Guide to Elliptic Curve Cryptography, page 98

q- on an elliptic curve is just as efficient as addition over P

61

Non-adjacent form (NAF) methodNon-adjacent form

2

2

Like the name suggests, non-zero values c

The non-adjacent form (NAF) of a number is a unique signed-digit representation.

. For example:

(0 ) 4 2

ann

1 7

(1 0 ) 8 - 2

ot be

1 1 1

-1

adjacent

1

2

2

1 7

( ) 8 - 4 2 1 7

8 - 1 7

All are valid signed-digit representations of 7,

(1 0 0 -1)

but only the final representation (1

1 -1 1 1

0 0 -1) is

in NAF.

Ref) Guide to Elliptic Curve Cryptography, page 98

62

Non-adjacent form (NAF) method

Ref) Guide to Elliptic Curve Cryptography, page 99

63

Window method

Ref) Guide to Elliptic Curve Cryptography, page 99

64

-End-

Thank you~

Slides Elliptic Curve Cryptography by Debdeep Mukhopadhyay, Dept of

Computer Sc and Engg IIT Madras

Books Elliptic Curves: Number Theory and Cryptography, by Lawrence C.

Washington

Guide to Elliptic Curve Cryptography, Darrel R. Hankerson, A. Menezes

and A. Vanstone

65

References