Download Elliptic Curve Cryptosystems - Advanced Applied Cryptography | ECE 746 and more Study notes Electrical and Electronics Engineering in PDF only on Docsity!
Elliptic Curve Cryptosystems
ECE 746: Lecture 8
Elliptic Curve Cryptosystems - ECC
Advantages
• first true alternative for RSA
• several times shorter keys
• fast and compact implementations, in particular
in hardware
• a family of cryptosystems, instead of a single
cryptosystem
• complex mathematical description
• short period of research on the cryptanalysis
Elliptic Curve Cryptosystems - ECC
Disdvantages
Certicom RSA Data Security Inc.
Efficient software and hardware implementations
Efficient software implementations
ECC - “cryptography of the XXI century”
ECC – cryptography for low-risk applications
Security Builder BSAFE
ECC
RSA
ECC
Elliptic Curve Cryptosystems vs. RSA
Elliptic Curve - General Equation
y^2 + a 1 xy + a 3 y = x^3 + a 2 x^2 + a 4 x +a 6
Set of solutions (x, y) to the equation
where x, y ∈ K
K is a field
+ a special point called the point at infinity ΟΟΟΟ
a 1 , a 2 , a 3 , a 4 , a 5 , a 6 ∈ K
Values of ai limited
by constraints specific
to the field K
Three Classes of Elliptic Curves
Elliptic curves built over
K = GF(p) K = GF(2m)
Polynomial basis
representation
Normal basis
representation
Fast in hardware
Arithmetic
operations
present
in many libraries
Compact in hardware
4. Verify whether there exists y such that z = y^2 (mod p )
using Euler’s criterion, i.e., check whether
z ( p -1)/2^ = 1 (mod p )
(if this is the case z is called a quadratic residue mod p )
e.g., 8 (23-1)/2^ (mod 23) = 811 mod 23 =
= (8^8 mod 23)(8^2 mod 23)(8^1 mod 23) (mod 23) =
= 4 ⋅ 18 ⋅ 8 (mod 23) = 1
Generating a point of an elliptic curve (2)
Otherwise
If Euler’s criterion is not met (i.e., z ( p -1)/2^ ≠≠≠≠ 1 (mod p ),
then there is no point of the given elliptic curve with
the given x coordinate
5. If Euler’s criterion is met, then there are
two points with a given x coordinate
( x , y 1 ) and ( x , y 2 )
If p ≡≡≡≡ 3 (mod 4) then
y 1 and y 2 can be computed from the equation
y 1 = + z ( p +1)/4^ (mod p )
y 2 = - z ( p +1)/4^ (mod p ) ≡≡≡≡ p - z ( p +1)/4^ (mod p ) =
= p - y 1
Otherwise
E.g., 23 ≡ 3 mod 4
y 1 = 8(23+1)/4^ mod 23 = 8^6 mod 23 = 13
y 2 = -13 ≡ 23 - 13 = 10
Generating a point of an elliptic curve (3)
Addition of two points on the elliptic curve over GF(p) (1)
P = (x 1 , y 1 ) Q = (x 2 , y 2 )
Case 1:
Case 2:
P + Ο = Ο + P = P
x 2 =x 1 and y 2 = -y 1
P + Q = Ο
R = P + Q = (x 3 , y 3 )
Q = -P
Case 3:
x 3 = λ^2 - x 1 - x 2
y 3 = λ (x 1 -x 3 ) - y 1
Addition of two points on the elliptic curve over GF(p) (2)
where
Case 3a: if P ≠ Q
Case 3b: if P = Q
y 2 - y 1
x 2 - x 1
= (y 2 - y 1 ) (x 2 - x 1 )-
3x 12 + a
2y 1
= (3x 12 + a ) (2y 1 )-
Example: Addition of points on the elliptic curve
y^2 = x^3 + x + 6 over GF(11)
P = (2, 7)
2P = P + P = (2, 7) + (2, 7)
λ = (3 ⋅ 22 + 1) (2 ⋅ 7)-1^ mod 11 =
= 2 ⋅ 3 -1^ mod 11 = 2 ⋅ 4 mod 11 = 8
x 3 = 8^2 - 2 - 2 mod 11 = 9 - 2 - 2 mod 11 = 5
y 3 = 8 (2 -5) - 7 mod 11 = 9 - 7 mod 11 = 2
2P = (5, 2)
Example: Addition of points on the elliptic curve
y^2 = x^3 + x + 6 over GF(11)
P = (2, 7) 2P = (5, 2)
3P = P + 2P = (2, 7) + (5, 2)
λ = (2-7) (5-2)-1^ mod 11 =
= 6 ⋅ 3 mod 11 = 6 ⋅ 4 mod 11 = 2
x 3 = 2^2 - 2 - 5 mod 11 = 4 - 2 - 5 mod 11 = 8
y 3 = 2 (2 - 8) - 7 mod 11 = 10 - 7 mod 11 = 3
3P = (8, 3)
Right-to-left binary exponentiation
Left-to-right binary exponentiation
Exponentiation: y = ae^ mod n
e = ( e L-1, e L-2, …, e 1 , e 0 ) 2
y = 1; s = a ; for i =0 to L- { if ( ei == 1) y = y ⋅ s mod n ; s = s^2 mod n ; }
y = 1; for i =L-1 downto 0 { y = y^2 mod n; if ( ei == 1) y = y ⋅ a mod n; }
Right-to-left binary scalar multiplication
Left-to-right binary scalar multiplication
Scalar Multiplication: Y = k ⋅⋅⋅⋅ P
k = ( k L-1, k L-2, …, k 1 , k 0 ) 2
Y = Ο;
S = P ;
for i =0 to L- { if ( ki == 1) Y = Y + S; S = 2S ; }
Y = Ο;
for i =L-1 downto 0 { Y = 2Y ; if ( ki == 1) Y = Y + P ; }
Diffie-Hellman
Alice Bob
A’s private key: xA
A’s public key:
yA = g
B’s private key: xB
B’s public key:
yB = g
Secret
derivation
Secret
derivation
xA xB
zAB = yB^ xA^ = g xBxA^ zBA = yA^ xB = g xAxB
g - generator of Zp*
Elliptic Curve Diffie-Hellman
Alice Bob
A’s private key: xA
A’s public key:
QA = xA P
B’s private key: xB
B’s public key:
QB = xB P
Secret
derivation
Secret
derivation
ZAB = xA QB = xA (xB P) ZBA = xB QA = xB (xA P)
P - generator of E(GF(q))
Digital Signature Algorithm
System parameters
q - 160-bit prime p - L-bit prime, such that q | p- where L = 1024 + 64·k
g = h(p-1)/q^ mod p where 1 < h < p-1, such that g> From Fermat’s theorem gq^ mod p = hp-1^ mod p = 1 g - generator of the cyclic group of order q in Zp*
May be shared by a group of users or belong to a single user; known to everybody
Elliptic Curve Digital Signature Algorithm ECDSA
System parameters
P - point of order q on the elliptic curve E ( q P = Ο )
May be shared by a group of users or belong to a single user; known to everybody
E - elliptic curve over GF( p ) or GF(2m)
ECDSA: Signature generation
- Choose random message private key 1< k < q (secret, different for each message)
- Compute message public key R = k P r = xR mod q if r =0 go back to 1.
Message M
SHA
SHA(M)
- Compute hash value
- Compute
s = k -1^ (SHA(M) + x · r ) mod q If s =0 go back to 1.
SGN(M) = r || s
DSA: Signature verification
Message M’
SHA
SHA(M’)
- Compute hash value r ’ s ’ [SGN(M)]’
- Compute
w = ( s ’)-1^ mod q
- Compute u1 = SHA(M’)· w mod q 4. Compute u2 = r ’ · w mod q
- Compute v = (( gu1 · yu2 ) mod p ) mod q
- Compare (^) v = r ’ Y^ Signature valid
Signature^ N invalid
ECDSA: Signature verification
Message M’
SHA
SHA(M’)
- Compute hash value r ’ s ’ [SGN(M)]’
- Compute
w = ( s ’)-1^ mod q
- Compute u 1 = SHA(M’)· w mod q 4. Compute u 2 = r ’ · w mod q
- Compute (^) V = u 1 P + u 2 Y
- Compare (^) v = r ’ Y^ Signature valid
Signature^ N invalid
v = xV mod q
if V= Ο Signature invalid
else
El-Gamal Encryption
System parameters
p - prime
g - generator of the group Zp*
May be shared by a group of users or belong to a single user; known to everybody
Elliptic Curve El-Gamal Encryption
System parameters
May be shared by a group of users or belong to a single user; known to everybody
P - generator of the group of points on the elliptic curve
E - elliptic curve over GF( p ) or GF(2m)
Public and private key
Private key
x - arbitrary number 1 ≤ x ≤ p-
Public key
y = gx^ mod p (^) 0 < y < p
El-Gamal Encryption
El-Gamal: Decryption
r c C( M )
M = c ⋅( r x)-1^ mod p
Justification:
c ⋅( r x)-1^ mod p = yk ⋅ M ⋅(( gk )x)-1^ = yk ⋅ M ⋅(( gx )k)-1^ = = yk ⋅ M ⋅(yk)-1^ = M
Elliptic Curve El-Gamal: Decryption
R C C( m )
M = C - x R
m : x -coordinate of M
Justification:
C - x R = (k Y + M ) - x R = (k Y + M ) - x k P = = (k Y + M ) - k ( x P) = k Y + M - k Y = M
Menezes-Vanstone Elliptic Curve Cryptosystem
System parameters
May be shared by a group of users or belong to a single user; known to everybody
P - generator of the group of points on the elliptic curve
E - elliptic curve over GF( p ) or GF(2m)
Public and private key
Private key
x - arbitrary number 1 ≤ x ≤ #E(GF(q))-
Public key
Y = x P
Menezes-Vanstone Elliptic Curve Cryptosystem
Menezes-Vanstone Cryptosystem: Encryption
- Choose random message private key 1 ≤ k ≤ #E(GF(q))-1, (secret, different for each message)
- Compute message public key R = k P
- Compute C = k Y = (c 1 , c 2 )
C( m 1 , m 2 ) = R || y 1 , y 2
- Form message block: ( m 1 , m 2 )
- Compute y 1 = c 1 m 1 y 2 = c 2 m 2
Menezes Vanstone Cryptosystem : Decryption
C( m 1 , m 2 )
C = x R = (c 1 , c 2 )
Justification:
x R = x k P = k ( x P) = k Y = C
R y 1 y 2
m 1 = c 1 -1^ y 1 m 2 = c 2 -1^ y 2
Binary code size
RSA DSA EC-DSA
Generation of system parameters
N/A small very large
Key generation medium very small very small
Core operations
small small medium
Which cryptosystem is the best? (1)
Secure electronic mail
- speed of operations is not critical,
security and trust of customers are more
important
- message encrypted using a symmetric key cryptosystem
A key for a symmetric key cryptosystem encrypted
once for each receiver
All operations performed by a sender
A key for a symmetric key cryptosystem decrypted
separately by each receiver
Load distributed among receivers
Advantage: RSA
Which cryptosystem is the best? (2)
Use in public key certificates
- each certificate and CRL are signed only
once but verified hundreds of times
Advantage: RSA
Which cryptosystem is the best? (3)
Wireless communication
- large cost of transmission
- shorter keys in ECCs
- shorter signatures and certificates
in ECCs and DSA
- shorter messages in the key agreement
schemes based on ECCs
Advantage: ECC
Which cryptosystem is the best? (4)
Hardware implementation
- small area of integrated circuits implementing
ECC, in particular ECCs over GF(2m)
Advantage: ECC
- faster decryption and key generation
Summary
- RSA in common use, ECC used mostly for wireless
applications
- New standards will support all three types of
cryptosystems
- ECC particularly advantages in environments
with limited bandwidth and storage
(e.g., cellular telephones, pagers, smart cards)
- If there is no breakthrough in cryptanalysis
the market will be shared among two (or three)
classes of cryptosystems