Upload
claud-wood
View
213
Download
1
Embed Size (px)
Citation preview
Elliptic Curve Cryptography
By
Krishan Swarup Gupta
Introduction
• ECC was introduced by Victor Miller and Neal Koblitz in 1985.
• For DSA, RSA we need larger key length.
• ECC requires significantly smaller key size with same level of security.
• Benefits of having smaller key sizes : faster computations, need
less storage space.
• ECC ideal for constrained environments : Pagers ; PDAs ;
Cellular Phones ; Smart Cards
Group
A group is an algebric system consisting of a set G together with a binary operation * defined on G satisfying the following axioms :1. Closure : for all x,y in G we have x * y G
2. Associativity : for all x,y and z in G we have (x * y) * z = x * (y * z)
3. Identity : there exists an e in G such that x * e = e * x = x for all x
4. Inverse : for all x in G there exists y in G such that x * y = y * x = e
In addition if for x, y in G we have x * y = y * x then we say that group G is abelian.
Finite Field
A finite field is an algebric system consisting of a set F together with a binary operations + and * defined on F satisfying the following axioms :
1. F is an abelian group with respect to +.
2. F \ {0} is an abelian group with respect to *.
3. For all x, y and z in F we have x * ( y + z) = (x * y) + (x * z)
(x + y) * z = (x * z) + (y * z)
The order of the finite field is the number of elements in the field.
Galois Field GF(p)
It is a finite field and it consists of a set of integers {0,1,2,3….p-1} where p is a prime number. Additionally it satisfies the following arithmetic operations :
1. Addition : if a, b GF(p), then a + b = r where r is the remainder of the division of a + b by p and 0<= r <= p-1. This operation is called addition modulo p.
2. Multiplication : if a, b GF(p), then a . b = s where s is the remainder of the division of a . b by p and 0<= s <= p-1. This operation is called multiplication modulo p.
Galois Field GF(2m)
It is a finite field and is called binary finite field. It is a vector space of dimension m over GF(2) i.e. there exists a set of m elements {m-1, …,1, 0} each i {0,1} in GF(2m) such that each a GF(2m)
a = m-1xm-1 + … + 1x + 0
Additionally it satisfies the following arithmetic operations :a = {am-1,..a1,a0} and b = {bm-1,..b1,b0} GF(2m)
• Addition : a + b = c = {cm-1,..c1,c0} where ci = (ai + bi) mod 2. c GF(2m)
• Multiplication : a . b = c = {cm-1,..c1,c0} where c is the remiander of the division of the polynomial a(x) . b(x) by an irreducible polynomial of degree m. c GF(2m)
Let GF(p) be a finite field, p > 3, and let a, b GF(p) are constant such that
4a3 + 27b2 0 (mod p).
An elliptic curve, E(a,b)(GF(p)), is defined as the set of points
(x,y) GF(p) * GF(p) which satisfy the equation
y2 x3 + ax + b (mod p)
together with a special point, O, called the point at infinity.
Elliptic Curve over GF(p)
P and Q be two points on E(a,b)(GF(p)) and O is the point at infinity.
• P+O = O+P = P
• If P = (x1,y1) then -P = (x1 ,-y1)
and P + (-P) = O.
• If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.
then P +Q = (x3 ,y3) where
x3 = 2 - x1 - x2
y3 = (x1 - x3) - y1
and = (y2-y1)/(x2-x1) if P ≠ Q
= (3x12+a)/ 2y1 if P = Q
Elliptic Curve over GF(p)
• Elliptic curve E(a,b)(GF(2m)) is defined to be
the set of points (x,y) GF(2m) * GF(2m) which satisfy the
equation
y2 + xy = x3 + ax2 + b;
where a, b GF(2m) and b≠0,
together with the point on the curve at infinity, O.
• The points on an elliptic curve form an abelian group under a well defined group operation.
The identity of the group operation is the point O.
Elliptic Curve over GF(2m) for some m 1.
Elliptic Curve over GF(2m) for some m 1.
P and Q be two points on E(a,b)(GF(2m)) and O is the point at infinity.
• P+O = O+P = P
• If P = (x1,y1) then -P = (x1 ,-y1)
and P + (-P) = O.
• If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.
then P +Q = (x3 ,y3),
where y3 = (x1 + x3) + x3 + y1
and = (y1+y2)/(x1+x2) if P ≠ Q
= (x1 y1 + x1)/ y1 if P = Q
ECC Domain Parameters
ECC domain parameters over GF(q), are a sextuple:
T = (q, a, b, G, n, h)
• q = p or q = 2m
• a and b GF(q)
y2 x3 + ax + b (mod p) for q = p > 3
y2 + xy = x3 + ax2 + b for q = 2m 1
• a base point G = (xG,yG) on E(a,b)(GF(q)),
• a prime n which is the order of G
(The order of a point P on an elliptic curve is the smallest positive integer r such that rP = O.)
• h = #E/n. where #E represents number of points on elliptic curve and is called the curve order.
ECC Key Generation
A public key Q = (xQ,yQ) associated with a domain parameter
(q, a, b, G, n, h) is generated for an entitiy A using the following
procedure :
• Select a random or pseudo-random integer d in the interval [1,n-1].
• Compute Q = dG.
• A's public key is Q; A's private key is d.
ECC Key Validation
A public key Q = (xQ,yQ) associated with a domain parameter
(q, a, b, G, n, h) is validated for an entitiy A using the following
procedure :
• Check that Q O
• Check that xQ and yQ are properly represented elements of GF(q).
• Check that Q lies on the elliptic curve defned by a and b.
• Check that nQ = O.
Elliptic Curve Digital Signature Algorithm (ECDSA)
• Proposed by Abdalla, Bellare and Rogaway in 1999.
• Entity A has domain parameters D = (q, a, b, G, n, h) and
public key QA and private key dA. And entity B has authentic
copies of D and QA.
To sign a message m, A does the following:
• Select a random integer k from [1,n-1].
• Compute kG = (x1,y1) and r = x1 mod n. If r = 0 then go to step 1.
• Compute k-1 mod n. Compute e = SHA-1(m).
• Compute s = k-1{e + dA . r} mod n.
If s = 0 then go to step 1.
A's signature for the message m is (r, s).
Elliptic Curve Digital Signature Algorithm (ECDSA)
To verify A's signature (r, s) on m, B performs the following steps:
Verify that r and s are integers in [1,n-1].
• Compute e = SHA-1(m).
• Compute w = s-1 mod n.
• Compute u1 = ew mod n and u2 = rw mod n.
• Compute (x1,y1) = u1G+ u2 QA
• Compute v = x1 mod n.
• Accept the signature if and only if v = r.
SHA-1 denotes the 160-bit hash function
Elliptic Curve Authenticated Encryption Scheme (ECAES)
Analogue of the DSA, proposed by Scott Vanstone in 1992.
To encrypt a message m for B, A performs:
• Select a random integer r from [1,n-1].
• Compute R = rG.
• Compute K = hrQB = (KX, KY). Check that K O:
• Compute k1|| k2 = KDF(KX).
• Compute c = (k1, m). Compute t = MAC(k2, c).
• Send (R; c; t) to B.
ENC a symmetric encryption scheme such as Triple-DES
MAC denotes a message authentication code (MAC) algorithm
“RFC 2104” ; KDF a key derivation function
Elliptic Curve Authenticated Encryption Scheme (ECAES)
To decrypt a ciphertext (R; c; t), B does:
• Perform a partial key validation on R.
• Compute K = hdBR = (KX, KY).. Check that that K O:
• Compute k1|| k2 = KDF(KX).
• Verify that t = MAC(k2, c).
• Compute m = ENC-1(k1, c).
ECC, DSA and RSA key length comparisons done by Lopez and
Dahab in May 2000.
Elliptic Curve Cryptography provides added security over DSA/RSA.
Reference :
• An Overview of Elliptic Curve Cryptography by Julio Lopez and Richard Dahab May 2000. http://citeseer.ist.psu.edu/lop00overview.html
• M. Abdalla, M. Bellare and P. Rogaway. “DHAES: An encryption scheme on the Diffie- Hellman problem”, preprint 1999. http://www-cse.ucsd.edu/users/mihir/
• www.rsasecurity.com
• http://www.certicom.com/index.php?action=res,ecc_faq
• http://cgd.best.vwh.net/home/flt/flt03.htm
• http://mathworld.wolfram.com/EllipticCurve.html