Information_Security..

Transcript Information_Security..

YSL

Elliptic Curve Cryptography (ECC)

• For the same length of keys, faster than RSA • For the same degree of security, shorter keys are required than RSA • Standardized in IEEE P1363 • Confidence level not yet as high as that in RSA • Much more difficult to explain than RSA Information Security -- Public-Key Cryptography 1

YSL

Elliptic Curve Cryptography (cont’d)

• Named so because they are described by cubic equations (used for calculating the circumference of an ellipse) • Of the form

2 +

axy

3 +

2 +

where all the coefficients are real numbers satisfying some simple conditions • Single element denoted

O infinity

or the

zero point

and called the

point at

Information Security -- Public-Key Cryptography 2

Elliptic Curve Cryptography (cont’d)

YSL • Define the rules of addition over an elliptic curve –

serves as the additive identity. Thus

= -

; for any point

on the elliptic curve,

–

1 = (

2 = (

). Then,

1 therefore

1 = -

2 .

– To add two points

and

2 +

= with different

O x

, and coordinates, draw a straight line between them and find the third point of intersection

1 . If the line is tangent to the curve at either Finally,

1 =

and

Q Q

then

1 +

= -

1 .

. Information Security -- Public-Key Cryptography 3

YSL

Elliptic Curve Cryptography (cont’d)

• Define the rules of addition over an elliptic curve (cont’d) – To double a point

, draw the tangent line and find the other point of intersection

. Then

= 2

= -

Information Security -- Public-Key Cryptography 4

Elliptic Curve Cryptography (cont’d)

YSL • Elliptic curves over finite field – Define ECC over a finite field – The elliptic group mod

, where

– Choose 2 nonnegative integers

that satisfy [4

3 + 27

2 ] (mod

)  0 is a prime number and

, less than

– E

(

) denotes the elliptic group mod

whose element (

) are pairs of non-negative integers less than

p y

2 

3 satisfying +

(mod

), with

Information Security -- Public-Key Cryptography 5

Elliptic Curve Cryptography (cont’d)

• Elliptic curves over finite field (cont’d) – Example: Let

= 23,

= 1. This satisfies the condition for an elliptic curve group mod 23. YSL Information Security -- Public-Key Cryptography 6

Elliptic Curve Cryptography (cont’d)

YSL Information Security -- Public-Key Cryptography 7

Elliptic Curve Cryptography (cont’d)

YSL • Generation of nonnegative integer points from (0,0) to (

) in E

For each

such that 0 



, calculate

3 



(mod

For each result from the previous step, determine if it has a square root mod

. If not, there are no points in E

(

) with this value of

. If so, there will be two values of

that satisfy the square root operation (unless the value is the single

value of 0). These (

) values are points in E

(

Information Security -- Public-Key Cryptography 8

Elliptic Curve Cryptography (cont’d)

YSL • Rules of addition over E

(

) 1.

= (

), then

+ (

, -

) =

. The point (

, -

) is the negative of

, denoted as -

. Observe that (

, -

) is a point on the elliptic curve, as seen graphically (Figure 6.18b) and in E

(

). For example, in E 23 (1, 1), for

= (13,7), we have -

= (13, -7). But -7 mod 23 = 16. Therefore, -

= (13, 16), which is also in E 23 (1, 1).

Table 6.4 Points on the Elliptic Curve E 23 (1, 1) (0,1) (0,22) (1,7) (1,16) (3,10) (3,13) (4,0) (5,4) (5,19) (6,4) (6,19) (7,11) (7,12) (9,7) (9,16) (11,3) (11,20) (12,4) (12,19) (13,7) (13,16) (17,3) (17,20) (18,3) (18,20) (19,5) (19,18) Information Security -- Public-Key Cryptography 9

Elliptic Curve Cryptography (cont’d)

YSL Information Security -- Public-Key Cryptography 10

Elliptic Curve Cryptography (cont’d)

YSL • Rules of addition over E

(

) (cont’d) 3. If

1 ,

1 ) and

= (

2 ,

2 ) with

≠ -

, then

= (

3 ,

3 ) is determined by the following rules:

3    2  ( 

1  

3 )

2  (mod

)

1 (mod

) , where       

y x

2 2 3

1 2 2  

1 

a if P



Q if P



We look at two examples, taken from [JUR197]. Let

= (3, 10) and

= (9, 7). Then 

3   7 9  11  2 10 3  3    6 9 3    2 109 1   11 17 mod mod 23 23

3  11 ( 3  (  6 ))  10  89  20 mod 23 So

= (17, 20). To find 2

, 

3   3 ( 6 2 2 3 2  )  10 3   1  5 3  20 30   1 4  6 7 mod mod 23

3  6 ( 3  7 )  10   34  23 12 mod 23 and 2

= (7,12). Again, multiplication is defined as repeated addition; for example, 4

Information Security -- Public-Key Cryptography 11

YSL

Elliptic Curve Cryptography (cont’d)

• Analog of Diffie-Hellman key exchange – Pick a prime number

in the range of 2 180 .

– Choose

and

– Define the elliptic group of points E

(

– Pick a generator point the smallest value of

n G

= (

) in E

(

) such that for which

be a very large prime number.

– E

(

) and

are known to the participants.

Information Security -- Public-Key Cryptography 12

YSL

Elliptic Curve Cryptography (cont’d)

• Analog of Diffie-Hellman key exchange (cont’d) 1.

A selects an integer

A less than n. This is A’s private key. A then generates a public key

A =

A ×

; the public key is a point in E

(

B similarly selects a private key

B and computes a public key

B .

A generates the secret key

A ×

B . B generates the secret key

B ×

A .

Information Security -- Public-Key Cryptography 13

YSL

Elliptic Curve Cryptography (cont’d)

• Analog of Diffie-Hellman key exchange (cont’d) – Example:

= 211; for E

(0,-4), choose

Note that 241

A =121, and

A = (2,2). = 121(2,2) = (115,48).

B = 203 and

B = 203(2,2) = (130,203). The shared secret key is then 121(130,203) = 203(115,48) = (161,169).

– For choosing a single number as the secret key, we could simply use the

coordinates or some simple function of the

coordinate.

Information Security -- Public-Key Cryptography 14

YSL

Elliptic Curve Cryptography (cont’d)

• Elliptic curve encryption/decryption – Encode the plain text

to be sent as an

point

P m .

– There are relatively straightforward techniques to perform such mappings.

– Require a point

and an elliptic group E

(

) as parameters.

– Each user A selects a private key

A public key

A =

A 

and generates a Information Security -- Public-Key Cryptography 15

YSL

Elliptic Curve Cryptography (cont’d)

• Elliptic curve encryption/decryption (cont’d) – To encrypt and send a message

P m

• A chooses a random positive integer

from A to B • A then produces the ciphertext

C m

points: consisting of the

pair

C m

= {

P m

k P

B }.

– A has used B’s public key

B .

– Two instead of one piece of information are sent.

Information Security -- Public-Key Cryptography 16

YSL

Elliptic Curve Cryptography (cont’d)

• Elliptic curve encryption/decryption (cont’d) – To decrypt

C m P m

k P

B -

B (

) =

P m

– A has masked

P m

+ by adding

k k P

(

B B

) to it.

– An attacker needs to compute

given

n G

B (

and ) =

P m .

which is assumed hard.

Information Security -- Public-Key Cryptography 17

YSL

Elliptic Curve Cryptography (cont’d)

• Elliptic curve encryption/decryption (cont’d) – Example: Take

Assume that

P m

= 751, E

(-1,188) and

= (0,376). = (562,201) is to be sent and that the sender chooses a random number

that the receiver’s public key is

B = 386. Assume = (201,5). We have 386(0,376) = (676,558), and (562,201) + 386(201,5) = (385,328). Consequently, {(676,558), (385,328)} is sent as the ciphertext.

Information Security -- Public-Key Cryptography 18

Elliptic Curve Cryptography (cont’d)

YSL • Computational effort for cryptanalysis of elliptic curve cryptography compared to RSA

Key Size

150 205 234

MIPS-Years

3.8*10^10 7.1*10^18 1.6*10^28 (a) Elliptic Curve Logarithms Using the Pollard rho Method

Key Size

512 768 1024 1280 1536 2048

MIPS-Years

3*10^4 2*10^8 3*10^11 1*10^14 3*10^16 3*10^20 (b) Integer Factorization Using the General Number Field Sieve Information Security -- Public-Key Cryptography 19

Elliptic Curve Cryptography (cont’d)

YSL Information Security -- Public-Key Cryptography 20