Elliptic Curve Cryptosystems - Advanced Applied Cryptography | ECE 746, Study notes of Electrical and Electronics Engineering

Material Type: Notes; Professor: Gaj; Class: Advanced Applied Cryptography; Subject: Electrical & Computer Enginrg; University: George Mason University; Term: Unknown 1989;

Typology: Study notes

Pre 2010

Uploaded on 02/10/2009

koofers-user-jet
koofers-user-jet 🇺🇸

8 documents

1 / 19

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
1
Elliptic Curve Cryptosystems
ECE 746: Lecture 8
Elliptic Curve Cryptosystems - ECC
Advantages
first true alternative for RSA
several times shorter keys
fast and compact implementations, in particular
in hardware
a family of cryptosystems, instead of a single
cryptosystem
complex mathematical description
short period of research on the cryptanalysis
Elliptic Curve Cryptosystems - ECC
Disdvantages
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13

Partial preview of the text

Download Elliptic Curve Cryptosystems - Advanced Applied Cryptography | ECE 746 and more Study notes Electrical and Electronics Engineering in PDF only on Docsity!

Elliptic Curve Cryptosystems

ECE 746: Lecture 8

Elliptic Curve Cryptosystems - ECC

Advantages

• first true alternative for RSA

• several times shorter keys

• fast and compact implementations, in particular

in hardware

• a family of cryptosystems, instead of a single

cryptosystem

• complex mathematical description

• short period of research on the cryptanalysis

Elliptic Curve Cryptosystems - ECC

Disdvantages

Certicom RSA Data Security Inc.

Efficient software and hardware implementations

Efficient software implementations

ECC - “cryptography of the XXI century”

ECC – cryptography for low-risk applications

Security Builder BSAFE

ECC

RSA

ECC

Elliptic Curve Cryptosystems vs. RSA

Elliptic Curve - General Equation

y^2 + a 1 xy + a 3 y = x^3 + a 2 x^2 + a 4 x +a 6

Set of solutions (x, y) to the equation

where x, y ∈ K

K is a field

+ a special point called the point at infinity ΟΟΟΟ

a 1 , a 2 , a 3 , a 4 , a 5 , a 6 ∈ K

Values of ai limited

by constraints specific

to the field K

Three Classes of Elliptic Curves

Elliptic curves built over

K = GF(p) K = GF(2m)

Polynomial basis

representation

Normal basis

representation

Fast in hardware

Arithmetic

operations

present

in many libraries

Compact in hardware

4. Verify whether there exists y such that z = y^2 (mod p )

using Euler’s criterion, i.e., check whether

z ( p -1)/2^ = 1 (mod p )

(if this is the case z is called a quadratic residue mod p )

e.g., 8 (23-1)/2^ (mod 23) = 811 mod 23 =

= (8^8 mod 23)(8^2 mod 23)(8^1 mod 23) (mod 23) =

= 4 ⋅ 18 ⋅ 8 (mod 23) = 1

Generating a point of an elliptic curve (2)

Otherwise

If Euler’s criterion is not met (i.e., z ( p -1)/2^ ≠≠≠≠ 1 (mod p ),

then there is no point of the given elliptic curve with

the given x coordinate

5. If Euler’s criterion is met, then there are

two points with a given x coordinate

( x , y 1 ) and ( x , y 2 )

If p ≡≡≡≡ 3 (mod 4) then

y 1 and y 2 can be computed from the equation

y 1 = + z ( p +1)/4^ (mod p )

y 2 = - z ( p +1)/4^ (mod p ) ≡≡≡≡ p - z ( p +1)/4^ (mod p ) =

= p - y 1

Otherwise

E.g., 23 ≡ 3 mod 4

y 1 = 8(23+1)/4^ mod 23 = 8^6 mod 23 = 13

y 2 = -13 ≡ 23 - 13 = 10

Generating a point of an elliptic curve (3)

Addition of two points on the elliptic curve over GF(p) (1)

P = (x 1 , y 1 ) Q = (x 2 , y 2 )

Case 1:

Case 2:

P + Ο = Ο + P = P

x 2 =x 1 and y 2 = -y 1

P + Q = Ο

R = P + Q = (x 3 , y 3 )

Q = -P

Case 3:

x 3 = λ^2 - x 1 - x 2

y 3 = λ (x 1 -x 3 ) - y 1

Addition of two points on the elliptic curve over GF(p) (2)

where

Case 3a: if P ≠ Q

Case 3b: if P = Q

y 2 - y 1

x 2 - x 1

= (y 2 - y 1 ) (x 2 - x 1 )-

3x 12 + a

2y 1

= (3x 12 + a ) (2y 1 )-

Example: Addition of points on the elliptic curve

y^2 = x^3 + x + 6 over GF(11)

P = (2, 7)

2P = P + P = (2, 7) + (2, 7)

λ = (3 ⋅ 22 + 1) (2 ⋅ 7)-1^ mod 11 =

= 2 ⋅ 3 -1^ mod 11 = 2 ⋅ 4 mod 11 = 8

x 3 = 8^2 - 2 - 2 mod 11 = 9 - 2 - 2 mod 11 = 5

y 3 = 8 (2 -5) - 7 mod 11 = 9 - 7 mod 11 = 2

2P = (5, 2)

Example: Addition of points on the elliptic curve

y^2 = x^3 + x + 6 over GF(11)

P = (2, 7) 2P = (5, 2)

3P = P + 2P = (2, 7) + (5, 2)

λ = (2-7) (5-2)-1^ mod 11 =

= 6 ⋅ 3 mod 11 = 6 ⋅ 4 mod 11 = 2

x 3 = 2^2 - 2 - 5 mod 11 = 4 - 2 - 5 mod 11 = 8

y 3 = 2 (2 - 8) - 7 mod 11 = 10 - 7 mod 11 = 3

3P = (8, 3)

Right-to-left binary exponentiation

Left-to-right binary exponentiation

Exponentiation: y = ae^ mod n

e = ( e L-1, e L-2, …, e 1 , e 0 ) 2

y = 1; s = a ; for i =0 to L- { if ( ei == 1) y = ys mod n ; s = s^2 mod n ; }

y = 1; for i =L-1 downto 0 { y = y^2 mod n; if ( ei == 1) y = ya mod n; }

Right-to-left binary scalar multiplication

Left-to-right binary scalar multiplication

Scalar Multiplication: Y = k ⋅⋅⋅⋅ P

k = ( k L-1, k L-2, …, k 1 , k 0 ) 2

Y = Ο;

S = P ;

for i =0 to L- { if ( ki == 1) Y = Y + S; S = 2S ; }

Y = Ο;

for i =L-1 downto 0 { Y = 2Y ; if ( ki == 1) Y = Y + P ; }

Diffie-Hellman

Alice Bob

A’s private key: xA

A’s public key:

yA = g

B’s private key: xB

B’s public key:

yB = g

Secret

derivation

Secret

derivation

xA xB

zAB = yB^ xA^ = g xBxA^ zBA = yA^ xB = g xAxB

g - generator of Zp*

Elliptic Curve Diffie-Hellman

Alice Bob

A’s private key: xA

A’s public key:

QA = xA P

B’s private key: xB

B’s public key:

QB = xB P

Secret

derivation

Secret

derivation

ZAB = xA QB = xA (xB P) ZBA = xB QA = xB (xA P)

P - generator of E(GF(q))

Digital Signature Algorithm

System parameters

q - 160-bit prime p - L-bit prime, such that q | p- where L = 1024 + 64·k

g = h(p-1)/q^ mod p where 1 < h < p-1, such that g> From Fermat’s theorem gq^ mod p = hp-1^ mod p = 1 g - generator of the cyclic group of order q in Zp*

May be shared by a group of users or belong to a single user; known to everybody

Elliptic Curve Digital Signature Algorithm ECDSA

System parameters

P - point of order q on the elliptic curve E ( q P = Ο )

May be shared by a group of users or belong to a single user; known to everybody

E - elliptic curve over GF( p ) or GF(2m)

ECDSA: Signature generation

  1. Choose random message private key 1< k < q (secret, different for each message)
  2. Compute message public key R = k P r = xR mod q if r =0 go back to 1.

Message M

SHA

SHA(M)

  1. Compute hash value
  2. Compute

s = k -1^ (SHA(M) + x · r ) mod q If s =0 go back to 1.

SGN(M) = r || s

DSA: Signature verification

Message M’

SHA

SHA(M’)

  1. Compute hash value rs ’ [SGN(M)]’
    1. Compute

w = ( s ’)-1^ mod q

  1. Compute u1 = SHA(M’)· w mod q 4. Compute u2 = r ’ · w mod q
  2. Compute v = (( gu1 · yu2 ) mod p ) mod q
  3. Compare (^) v = r ’ Y^ Signature valid

Signature^ N invalid

ECDSA: Signature verification

Message M’

SHA

SHA(M’)

  1. Compute hash value rs ’ [SGN(M)]’
    1. Compute

w = ( s ’)-1^ mod q

  1. Compute u 1 = SHA(M’)· w mod q 4. Compute u 2 = r ’ · w mod q
  2. Compute (^) V = u 1 P + u 2 Y
  3. Compare (^) v = r ’ Y^ Signature valid

Signature^ N invalid

v = xV mod q

if V= Ο Signature invalid

else

El-Gamal Encryption

System parameters

p - prime

g - generator of the group Zp*

May be shared by a group of users or belong to a single user; known to everybody

Elliptic Curve El-Gamal Encryption

System parameters

May be shared by a group of users or belong to a single user; known to everybody

P - generator of the group of points on the elliptic curve

E - elliptic curve over GF( p ) or GF(2m)

Public and private key

Private key

x - arbitrary number 1 ≤ x ≤ p-

Public key

y = gx^ mod p (^) 0 < y < p

El-Gamal Encryption

El-Gamal: Decryption

r c C( M )

M = c ⋅( r x)-1^ mod p

Justification:

c ⋅( r x)-1^ mod p = ykM ⋅(( gk )x)-1^ = ykM ⋅(( gx )k)-1^ = = ykM ⋅(yk)-1^ = M

Elliptic Curve El-Gamal: Decryption

R C C( m )

M = C - x R

m : x -coordinate of M

Justification:

C - x R = (k Y + M ) - x R = (k Y + M ) - x k P = = (k Y + M ) - k ( x P) = k Y + M - k Y = M

Menezes-Vanstone Elliptic Curve Cryptosystem

System parameters

May be shared by a group of users or belong to a single user; known to everybody

P - generator of the group of points on the elliptic curve

E - elliptic curve over GF( p ) or GF(2m)

Public and private key

Private key

x - arbitrary number 1 ≤ x ≤ #E(GF(q))-

Public key

Y = x P

Menezes-Vanstone Elliptic Curve Cryptosystem

Menezes-Vanstone Cryptosystem: Encryption

  1. Choose random message private key 1 ≤ k ≤ #E(GF(q))-1, (secret, different for each message)
  2. Compute message public key R = k P
  3. Compute C = k Y = (c 1 , c 2 )

C( m 1 , m 2 ) = R || y 1 , y 2

  1. Form message block: ( m 1 , m 2 )
  2. Compute y 1 = c 1 m 1 y 2 = c 2 m 2

Menezes Vanstone Cryptosystem : Decryption

C( m 1 , m 2 )

C = x R = (c 1 , c 2 )

Justification:

x R = x k P = k ( x P) = k Y = C

R y 1 y 2

m 1 = c 1 -1^ y 1 m 2 = c 2 -1^ y 2

Binary code size

RSA DSA EC-DSA

Generation of system parameters

N/A small very large

Key generation medium very small very small

Core operations

small small medium

Which cryptosystem is the best? (1)

Secure electronic mail

  • speed of operations is not critical,

security and trust of customers are more

important

  • message encrypted using a symmetric key cryptosystem

A key for a symmetric key cryptosystem encrypted

once for each receiver

All operations performed by a sender

A key for a symmetric key cryptosystem decrypted

separately by each receiver

Load distributed among receivers

Advantage: RSA

Which cryptosystem is the best? (2)

Use in public key certificates

  • each certificate and CRL are signed only

once but verified hundreds of times

Advantage: RSA

Which cryptosystem is the best? (3)

Wireless communication

  • large cost of transmission
  • shorter keys in ECCs
  • shorter signatures and certificates

in ECCs and DSA

  • shorter messages in the key agreement

schemes based on ECCs

Advantage: ECC

Which cryptosystem is the best? (4)

Hardware implementation

  • small area of integrated circuits implementing

ECC, in particular ECCs over GF(2m)

Advantage: ECC

  • faster decryption and key generation

Summary

  • RSA in common use, ECC used mostly for wireless

applications

  • New standards will support all three types of

cryptosystems

  • ECC particularly advantages in environments

with limited bandwidth and storage

(e.g., cellular telephones, pagers, smart cards)

  • If there is no breakthrough in cryptanalysis

the market will be shared among two (or three)

classes of cryptosystems