Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Introduction toElliptic Curve Cryptography
Anupam Datta
18-733
Elliptic Curve Cryptography
β’ Public Key Cryptosystem
β’ Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptographyβ Groups / Number Theory Basis
β Additive group based on curves
β’ What is the point?β Less efficient attacks exist so we can use smaller keys
than discrete log / RSA based cryptography
Computing Dlog in (Zp)*(n-bit prime p)
Best known algorithm (GNFS): run time exp( )
cipher key size modulus size80 bits 1024 bits128 bits 3072 bits256 bits (AES) 15360 bits
As a result: slow transition away from (mod p) to elliptic curves
Elliptic Curvegroup size
160 bits
256 bits
512 bits
Discrete Logs
β’ Let π = 2π + 1 where π, π are large primes
β’ β€π is the group of integers modulo π
β’ β€π = 2π
β’ πΊπ = ππ β€π is the quadratic residue subgroup of β€π
β’ ππ β€π = π, subgroup of prime order
β’ Every element π β πΊπ is a generator, pick a random one
β’ Pick secret π₯, compute ππ₯πππ π
β’ Public: π, π, π, ππ₯ Secret: π₯
β’ Discrete Log Assumption: Given Public it is hard to find Secret
Outline
β’ Elliptic curves over reals
β’ Elliptic curves over ππ
β’ ECDH and ECDSA
Elliptic Curves
β’ Consider the following equation:π¦2 = π₯3 + ππ₯ + π
β’ Idea: we pick (π, π) and form a group which is a set containing all of the points that satisfy the equation
β’ This group will be defined with a very special addition operation which introduces an additional imaginary point
Example
Not all curves are valid elliptic curves
β’ Left: π¦2 = π₯3 has a βcuspβ
β’ Right: π¦2 = π₯3 β 3π₯ + 2 has a βself intersectionβ
β’ In general we require: 4π3 + 27π2 β 0
β’ Observation: curves are symmetric about the point π¦ = 0
Elliptic Curves as a Group
β’ Groups are sets defined over some operation with some structure / properties
β’ πΊ = π₯, π¦ : π¦2 = π₯3 + ππ₯ + π
β’ Define an operation denoted by β+β such that:
β’ If π1, π2 β πΊ, π1 + π2 β πΊ (Closure)
β’ π1 + π2 + π3 = π1 + (π2 + π3) (Associative)
β’ β0 π . π‘. βπ π + 0 = 0 + π = π (Identity)
β’ βπ βπβ1 π . π‘. π + πβ1 = 0 (Inverse)
β Curves will form an abelian group
β’ π1 + π2 = π2 + π1 (Communitive)
The Group Operation
β’ Not typical point-wise addition!
β’ What is this 0 element?
β π¦2 = π₯3 + ππ₯ + π does not include (0, 0) if π β 0
β’ How do we know inverses exist if we donβt know what the 0 element is?
β’ How do we maintain closure?
β π₯, π¦ + π₯, π¦ = 2π₯, 2π¦ for typical pointwise addition which in general does not lie on the curve
The Group Operation
β’ Let π, π, π β πΊ, such that a line passes through all of them, then group operation is:
π + π + π = 0
β’ This is strange, we have a relationship between points that lie along but no clear notion of traditional addition
β’ We can use the relationship to define a more traditional form of addition:
π + π = βπ
The Group Operationβ’ π + π = βπ
β’ π = π₯π , π¦π , βπ = π₯π , βπ¦πβ’ What happens if we want to compute
β π + π ?β’ What third point on the curve lies
on the line defined by (π , βπ )?
β’ We say this is the point defined at infinity, we denote it by 0, and it is the additive identity
β’ βπ + π = 0
β’ Adjust our definition of the group:β’ πΊ = π₯, π¦ : π¦2 = π₯3 + ππ₯ + π βͺ {0}
The Group Operation (Geometric)
β’ Given πΊ = π₯, π¦ : π¦2 = π₯3 + ππ₯ + π βͺ {0}, calculate π + πβ Geometrically, figure out the third point π such that a line goes through π,π, π and then
set P + π = βπ
β’ What could possibly go wrong?β P or Q could be 0
β’ 0 Is the identity under the group operation, so π + 0 = 0 + π = π
β P = -Qβ’ This is the case of βπ + π = 0 which was defined by the vertical line
β P = Qβ’ Imagine tangent to P, use that to find R. π + π = βπ describes the line tangent to π that intersects at π
β There is no 3rd pointβ’ This occurs when the line is tangent to exactly one of π or π. Suppose the line is tangent to π, then from before
we have π + π = βπ which gives us π + π = βπ
β’ If line is tangent to π, then π + π = βπ which would give us π + π = βπ
Algebraic Solution
β’ Let π β π, line defined by π, π has slope
π =π¦π β π¦π
π₯π β π₯π
β’ Intersection with point π = xR, yR :
β π₯π = π2 β π₯π β π₯π
β π¦π = π¦π +π π₯π β π₯π = yQ +m xR β xQ
β’ How would we check that this is correct?β Check if π₯π , π¦π β πΊ, if it is then correct with high probability
Multiplication
β’ We have defined addition, so now we can define multiplication
β’ π β π = π + π + β¦+ π π β π‘ππππ
β’ Inefficient for multiplying by large numbers
β’ Use doubling algorithm, analogue of repeated squaring algorithm for exponentiation
β’ Calculate 19 (6 Additions):β A = 1+1 = 2
β B = A + A = 2 + 2 = 4
β C = B + B = 4 + 4 = 8
β D = C + C = 16
β 19 = D + A + 1
Back to Discrete Logs
β’ In the discrete log setting, exponentiation was easy, but logs were hard
β ππ₯ β Easy, logπ ππ₯ β Hard
β’ In the elliptic curve setting, multiplication is easy but division is hard
β We still call division βlogarithmβ even though its really division here
β’ We used the asymmetry of these operations in the discrete log setting to do key exchange / encryption, can do a similar thing with elliptic curves
Fields
β’ A field is a set π½ with two operations (+,Γ) that has the following properties:
β π½ is an abelian group under +
β The non-zero elements of π½ are an abelian group under Γ
β π π + π = ππ + ππ βπ, π, π β π½ (Distributive)
Elliptic Curves Over a Field
β’ Note: β€πβ (+,Γ) is a field when π is prime
β’ Refine the definition of the curve group again:
β’ πΊ =π₯, π¦ β π½π
2: π¦2 = π₯3 + ππ₯ + π πππ π
4π3ΩΏ + 27π2 β 0 πππ πβͺ {0}
β’ Curves are now defined only at discrete points and not over the smooth lines that we had before
Elliptic Curves Over a Field
π¦2 = π₯3 β 7π₯ + 10 πππ π where π = 19, 97, 127, 487
Operation for Curves Over a Field
Curve π¦2 = π₯3 β π₯ + 3 (πππ 127), π = 16, 20 , π = (41, 120)
Operation for Curves Over a Field
β’ The addition operation that we defined before works exactly the same on curves defined over a field
β’ All of the special cases are handled exactly the same as before
β’ Intersection with point π = xR, yR still computed as:
β π₯π = π2 β π₯π β π₯ππππ π
β π¦π = π¦π +π π₯π β π₯π πππ π = yQ +m xR β xQ πππ π
Order of Elliptic Curve Group
β’ # of unique points in the group
β Could simply try and count them, but there are too many for this to be possible
β’ Efficient algorithms for computing this exist
Subgroups of Elliptic Curve Groups
β’ In the discrete log setting, we selected a generator π and computed π0, π1, β¦ πππ π
β’ This group generated by the generator had an order that divided the order of the parent group by Lagrangeβs Theorem
β’ In Elliptic Curves we can select a point P which is like a generator and compute 0π, π, 2π, 3π,β¦ πππ π, we call this a Base Point
β’ This operation will also generate a cyclic subgroup of the Elliptic curve group whose order divides the order of the parent group
Subgroups of Elliptic Curve Groups
β’ Suppose we pick a point, π, how can we find the order of the subgroup generated by π?
β’ Let N be the order of the parent group
β’ Let π = π1π1π2
π2 β¦ be the prime factorization of N
β’ Let n be the order of the subgroup
β’ Idea: take all divisors of N, given by the prime factorization, and sort them smallest to largest, call them n. The order of the subgroup is the smallest n such that nP = 0.
Finding Base Point With High Order
β’ We will want to find a base point that generates a subgroup with prime order that is as high as possible
β’ Let β =π
πwe will call β the cofactor of the subgroup
β’ Let π be the largest prime factor in the prime factorization of π
β’ ππ = 0 because π is an integer multiple of any point π
β’ π βπ = 0 by re-writing π = πβ
β’ This tells us that the point βπ = πΊ has order π unless πΊ = 0
β’ πΊ is a generator of a cyclic subgroup of prime order π
ECDH β Elliptic Curve Diffie-Hellman
β’ Regular Diffie-Hellman:β Alice has secret π and computes ππ
β Bob has secret π and computes ππ
β They exchange and compute πππ
β Key insight: it is hard for an adversary to compute πππ from ππ, ππ
β’ ECDH Setting, Public Parameters: π, π, π, πΊ, π, β
β π = large prime
β (π, π) = coefficients in π¦2 = π₯3 + ππ₯ + π
β πΊ = base point that generates subgroup of large prime order
β π = order of the subgroup
β β = cofactor of the subgroup
ECDH β Elliptic Curve Diffie-Hellman
β’ Alice: ππ΄ βπ β€π, π»π΄ = ππ΄πΊ
β’ Bob: ππ΅ βπ β€π, π»π΅ = ππ΅πΊ
β’ Alice -> Bob: π»π΄β’ Bob -> Alice: π»π΅
β’ Alice: ππ΄π»π΅ = ππ΄ππ΅πΊ
β’ Bob: ππ΅π»π΄ = ππ΅ππ΄πΊ
β’ Say π = ππ΄ππ΅πΊ is the shared secret, can use it to derive a symmetric key
ECDSA β Elliptic Curve Digital Signature Algorithm
β’ Public Information: π, π, π, πΊ, π, β
β’ Aliceβs Private Key: ππ΄β’ Aliceβs Public Key: π»π΄ = ππ΄πΊ
β’ Alice signs a message π β β€π by performing the following:
β π βπ β€πβ π = ππΊ = (π₯π , π¦π)
β π = π₯π πππ π, if π = 0 start over
β π = πβ1 π + πππ΄ πππ π, if π = 0 start over
β Output signature (π , π)
ECDSA β Elliptic Curve Digital Signature Algorithm
β’ Bob can verify a message signed by performing the following:β Bob gets π, π , π, π»π΄
β Calculate π’1 = π β1π πππ π, π’2 = π β1π πππ π
β Calculate π = π’1πΊ + π’2π»π΄β Valid if and only if π = π₯π πππ π
ECDSA β Elliptic Curve Digital Signature Algorithm
β’ Check that the algorithm is correct:
β π = π’1πΊ + π’2π»π΄ = π’1πΊ + π’2ππ΄πΊ = π’1 + π’2ππ΄ πΊ
β π = π β1π + π β1πππ΄ πΊ = π β1 π + πππ΄ πΊ
β π = πβ1 π + πππ΄ β π = π β1 π + πππ΄
β π = π β1 π + πππ΄ πΊ = ππΊ β Thus the signature will verify correctly
Acknowledgments
β’ Many slides created by Kyle Soska (TA for 18733 in Spring 2016)
Pairing Based Cryptography
β’ Computational Diffie-Hellman
β Given π, ππ, ππ compute πππ
β’ Decisional Diffie-Hellman
β Given π, ππ, ππ, cant tell πππ apart from random element ππ for random π
β’ Let πΊ1, πΊ2, πΊπ be groups of prime order π, then a bilinear pairing denoted π is an operation that maps from πΊ1 Γ πΊ2 β πΊπ such that
β’ βπ, π β π½π , βπ β πΊ1, βπ β πΊ2 π ππ, ππ = π π, π ππ β 1
β’ Idea: We can use pairing based cryptography to create a situation where Computational Diffie-Hellman is hard, but Decisional Diffie-Hellman is easy
Pairing Based Cryptography
β’ Computational Diffie-Hellman
β Given π, ππ, ππ compute πππ
β’ Decisional Diffie-Hellman
β Given π, ππ, ππ, cant tell πππ apart from random element ππ for random π
β’ Suppose an adversary has ππ , ππ, ππ§, where ππ§ is randomly either πππ or ππ for π random. How can he check which one he has?
β π ππ , ππ = π π, π ππ = π π, πππ
β Adversary computes π π, ππ§ =? π ππ, ππ
Pairing Based Signatures (Boneh et al.)
β’ π₯ βπ β€π
β’ Private Key: π₯, Public Key: ππ₯
β’ Sign message m by hashing it yielding β = π»(π) and signing the hash as π = βπ₯
β’ Verify (π, π) as π π, π =? π π» π , ππ₯
β π π, π = π βπ₯ , π = π π» π π₯, π = π π» π , π π₯ = π π» π , ππ₯
Twists Of Elliptic Curves
β’ Suppose you have an elliptic curve πΈ[π] over some field π½
β’ A twist of πΈ[π] another elliptic curve over a field extension of π½
β’ A twist of πΈ[π] will be isomorphic to πΈ[π], namely it will have the same order, and there is a 1-1 onto mapping between them
Other Notes
β’ Weil Pairing is a well studied paring where the groups πΊ are elliptic curves
β’ There are many standardized elliptic curve groupsβ π¦2 + π₯π¦ = π₯3 + ππ₯2 + 1 over π½2π, π = prime and π = 0 or 1β’ Koblitz Curves, very fast addition and multiplication
β π₯2 + π¦2 = 1 + ππ₯2π¦2 where π = 0 or 1β’ Edwards Curves, point addition is the same in all cases, and
reasonably fast