Transcript Cryptography and Network Security

Cryptography and Security Services:
Mechanisms and Applications
Chapter 8
Elliptic Curve
Cryptography
Manuel Mogollon
[email protected]
M. Mogollon – 0
Session 6 – Contents
• Cryptography Basics
• Elliptic Curve (EC) Concepts
• Finite Fields
• Selecting an Elliptic Curve
• Cryptography Using EC
• Digital Signature
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 1
1
Cryptography Basics
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 2
2
Security Services
Security Mechanisms
Confidentiality
Encryption
Integrity
Hash Functions
Authentication
Digital Signatures
Access
Security Tokens
Non-Repudiation
Digital Signatures
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 3
3
Types of Crypto Systems
• Symmetric Cryptography – Secret Key
 A single key serves as both the encryption and the decryption key.
 Initial arrangements need to be made for individuals to share the
secret key.
 Stream Ciphers and Block Ciphers (DES, AES)
• Asymmetric Cryptography – Public-Key
 One key is used to encipher and another to decipher.
 Privacy is achieved without having to keep the enciphering key secret
because a different key is used for deciphering.
 Pohlig Hellman, Schnorr, RSA, ElGamal, and Elliptic Curve
Cryptography (ECC) are popular asymmetric crypto systems.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 4
4
Symmetric Key Crypto System
Secret Key
Plaintext
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to ….
Encryption
Algorithm
Encipher
Ciphertext
Asdfe8i4*(74mjsd(
9&*nng654mKhna
mshy75*72mnasja
dif3%j*j^3cdf(#421
5kndh_!8g,kla/”2a
cd:{qien*38mnap4
*h&fk>0820&ma01
2M
Encryption
Algorithm
Decipher
Plaintext
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to ….
•
Security is based on the secret key, not on the encryption algorithm.
•
The sharing of secret keys is necessary.
•
Strengths: Fast, good for encrypting large amounts of data.
•
Weakness: Key delivery.
•
There are two types of symmetric crypto systems: Stream Cipher (RC4) and
Block Ciphers (DES, AES, RC5, CAST, IDEA).
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 5
5
Asymmetric Key Crypto System
(Public Key Algorithm)
One Key to Encipher
Plaintext
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to ….
•
•
•
•
•
•
•
Encryption
Algorithm
Encipher
Another Key to Decipher
Ciphertext
Encryption
Algorithm
Asdfe8i4*(74mjsd(
9&*nng654mKhna
mshy75*72mnasja
dif3%j*j^3cdf(#421
5kndh_!8g,kla/”2a
cd:{qien*38mnap4
*h&fk>0820&ma01
2M
Decipher
Plaintext
As the market
requirements
for secure
products has
exponentially
increased, our
strategy will be
to ….
Public key encryption involves two mathematically related keys.
Either key can be used to encipher.
One of the keys can be made public and the other kept private.
Strengths: No key delivery issues, can be used for non-repudiation.
Weakness: Slow, inefficient for large amounts of data, computationally expensive.
Algorithms: RSA, ElGamal, Schnorr, Pohlig-Hellman, Elliptic Curve Cryptography.
Used mainly for key exchange or digital signatures.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 6
6
Combining Symmetric and Asymmetric
Ciphers
Client
Web Server
Exchange (wrap / transport ) or agree
(Diffie-Hellman) on a pre-master key.
PreMaster Key
PreMaster Key
Master Key
Generation
Integrity
(HMAC)
Integrity
(HMAC)
Encipher
IV
Secret Key
Master Key
Generation
Decipher
Cleartext
Block
Cleartext
Block
Cleartext
Block
Cleartext
Block
+
+
+
+
Symmetric
Encryption
Symmetric
Encryption
Symmetric
Encryption
Symmetric
Encryption
Ciphertext
Block
Ciphertext
Block
Ciphertext
Block
Ciphertext
Block
Elliptic Curve
Use a symmetric
algorithm to encipher
and decipher a secure
transaction.
IV
Secret Key
Elliptic Curve Cryptography
M. Mogollon – 7
7
Types of Public-key Cryptography
• Exponentiation Ciphers
 RSA.
• Discrete logarithm systems
 ElGamal public-key encryption, Digital Signature Algorithm (DSA),
Diffie-Hellman key exchange.
• Elliptic curve cryptography
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 8
8
Public Key Encryption
Sender (Alice)
Receiver (Bob)
Alice’s Private
Key
Alice’s Public
Key
Encipher
Decipher
Alice’s Public
Key
Alice’s Private
Key
Encipher
Decipher
Bob’s Public
Key
Bob’s Private
Key
Encipher
Decipher
Bob’s Private
Key
Bob’s Public
Key
Encipher
Decipher
Elliptic Curve
Non-Repudiation of Origin (Authenticity)
Anyone who has Alice’s public key will be
able to decipher the message. Alice cannot
deny that she sent the message.
Bob will not be able to decipher the message
because he doesn’t have Alice’s private key.
Confidentiality ─ Bob will be the only one
able to decipher the message because only he
has his private key.
Enciphering is not possible because Alice
doesn’t have Bob’s private key.
Elliptic Curve Cryptography
M. Mogollon – 9
9
Elliptic Curve Concepts
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 10
10
What is Elliptic Curve Cryptography?
• elliptic curve cryptography / (abbr. ECC) (1) an encryption
system that uses the properties of elliptic curve and
provides the same functionality of other public key
cryptosystems; (2) A public key crypto system that
provides, bit-by-bit key size, the highest strength of any
cryptosystem known today.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 11
11
ECC Applications
• ECC with 160-bit key size offers the same level of
security as RSA with 1024-bit key size.
• Smaller key size provides
• Which leads to
 Storage efficiencies
 Higher speeds
 Bandwidth savings
 Lower power consumptions
 Computational efficiencies
 Code size reductions
• ECC implementation is beneficial in applications where
bandwidth, processing capacity, power availability, or
storage are constrained.
• ECC includes key distribution, encryption, and digital
signatures.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 12
12
ECC Applications
• Applications requiring intensive public-key operations.
 Web servers.
• Applications with limited power, computational power,
speed transfer, memory storage, or bandwidth.
 Wireless communications
 PDAs
• Applications rigid constrains on processing power,
parameter storage, and code space.
 Smart card and tokens.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 13
13
Elliptic Curves
• Elliptic Curve Cryptography uses plane curves, which
are sets of points satisfying the equation F (x, y) = 0.
• Examples of plane curves are:
 Lines (2x + y = a)
 Conic sections (3x2 + 5y2 = a)
 Cubic curves (y2 + xy = x3 + ax2 + b), which include elliptic curves.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 14
14
Finite Fields
• Finite fields are fields that are finite.
• A field is a set F in which the usual mathematical operations
(addition, subtraction, multiplication, and division by nonzero
quantities) are possible; these operations follow the usual
commutative, associative, and distributive laws.
• Rational numbers (fractions), real numbers, and complex numbers
are elements of infinite fields.
• A discrete logarithm (DL) and elliptic curve (EC) cryptography
schemes are always based on computations in a finite field in which
there are only a finite number of quantities.
• For cryptography applications, the finite fields that are usually used
are the field of characteristic (congruences).
• The finite field used in DL and EC are the field of prime
characteristic Fp and the field of characteristic two F2m. The finite
field is also denoted as GF(q).
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 15
15
Finite Fields
• Characteristic Prime Finite Fields
 The finite field Fp is the prime finite field containing p elements. If p is
an odd prime number, then there is a unique field Fp that consists of
the set of integers
{0, 1, 2 ,..., p – 1}.
• Characteristic Two Finite Fields
 A characteristic two finite field (also known as a binary finite field) is a
finite field whose number of elements is 2m. If m is a positive integer
greater than 1, the binary finite field F2m consists of the 2m possible bit
strings of length m.
For example, F23 = {000, 001, 010, 011, 100, 101, 110, 111}
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 16
16
Group Fields in EC
• There are two essential properties of group fields when
they are used in elliptic curve cryptography:
 A group should have a finite number of points. An elliptic curve has
infinite number of points, but an elliptic curve over Fq has a finite
number of elements.
 The operation that is used should be easy to compute but very difficult
and time consuming to reverse.
• The scalar integer multiplication of an elliptic curve
point, P, which is defined as the repeated addition of the
point with itself, Q = kP, is an operation that is easy to
compute but very difficult and time consuming to
reverse.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 17
17
Elliptic Curves and Points
• There are several ways of defining equations for elliptic
curves, but the most common are the Weierstrass
equations.
• ECC may be implemented over Fq, where q is an odd
prime p, or 2m.
• If ECC is implemented over Fp, the following equation is
used:
y 2  x 3  ax  b
• If ECC is implemented over F2m, the following equation is
used:
y 2  xy  x 3  ax2  b
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 18
18
Elliptic Curve Arithmetic
Point Addition in Fp
•
The group law is defined by P + Q – R = 0; therefore, P + Q = R, where the negative
of the point R(x, y) is the point R (x, –y).
•
Given two points on the curve P and Q, the line through them meets the curve at a
third point – R. The reflection of R gives the point R, which is equal to P + Q.
•
The tangent line through P gives the point – R.
E: y2 = x3 - 9x + 6
-R
P (0.0, 2.45)
Q (-3.24, -1.17)
-R (4.49, 7.47)
R (4.49, -7.49)
P + Q = R = (4.49, -7.49)
P
E: y2 = x3 - 9x + 6
P (0.0, 2.45)
-R (3.38, -3.76)
R (3.38, 3.76)
2P = R = (3.38, 3.76)
R
P
Q
-R
R
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 19
19
Elliptic Curve Arithmetic
• Doubling a Point in Fp
Provided that yP  0
then,
P ( xP , yP )  P ( xP , yP )  R ( xR , yR )
where
x R  2  2 x P mod p
yR   ( x P  x R )  y P mod p
(3 x P  a )

mod p
(2 y P )
2
and
λ is the slope of the line through P(xP , yP).
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 20
20
Elliptic Curves Arithmetic
• Point Addition in Fp
Similar to the addition of two points in plane geometry. For
then, P ( xP , yP )  Q ( xQ , yQ )  R ( xR , yR )
where
P  Q
x R  2  x P  xQ mod p
yR   ( x P  x R )  y P mod p
and

( yQ  y P )
( xQ  x P )
mod p
λ is the slope of the line through P(xP , yP) and Q(xQ , yQ ).
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 21
21
Elliptic Curve Arithmetic
Point Addition in Fp
•
Adding P to -P.
E: y2 = x3 - 9x + 6
P (-1.85, 4.05)
-P (-1.85, -4.05)
P + (-P) = O, the
point at infinity
P
-P
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 22
22
EC Points
Points in the Elliptic Curve
y^2 = x^3 + x + 1 (mod 23)
24
22
20
18
16
14
12
10
8
6
4
2
0
0
2
4
6
8
10
12
14
16
18
20
• The points are symmetric because
in elliptic curves, for every point P,
there must exist another point –P.
• The point P(0, 1) generates a
maximal subgroup because it
generates the maximum number of
points, 28 (27 plus the point at
infinity).
• The curve order is 28 and is
denoted as #E(Fp).
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 23
23
Point and Curve Order
• For any point in y2 = x3 + x + 1 (mod 23), the value of k such that kP = O
is not always the same. The order of points varies; it can be 28, 14, 7 or
4.
See next slide
• The maximum point order is the curve order.
Point
Order
Point
Order
Point
Order
Point
Order
(0,1)
28
(9,16)
28
(7,11)
14
(13,16)
7
(0,22)
28
(18,3)
28
(7,12)
14
(17,3)
7
(1,7)
28
(18,20)
28
(12,4)
14
(17,20)
7
(1,16)
28
(19,5)
28
(12,19)
14
(11,3)
4
(3,10)
28
(19,18)
28
(5,4)
7
(11,20)
4
(3,13)
28
(6,4)
14
(5,19)
7
(4,0)
1 (infinity)
(9,7)
28
(6,19)
14
(13,7)
7
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 24
24
Point Order
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 25
25
Selecting an EC for Cryptography
•
•
There are several procedures to select an elliptic curve for cryptographic purposes.
The following are some of the criteria:

Select a large prime number, p, to be used as the module.

Select the coefficients a and b randomly and define E Fp: y2 = x3 + ax + b.

Calculate the curve order #E(Fq).

Check that #E(Fq) is divisible by a large prime number.

Check that the largest prime divisor of #E(Fq) does not divide qv-1 for v = 1, 2, 3, ……<large limit>.
Another way to select the elliptic curve is by selecting the curve order first:

Select a large prime number, p, to be used as the module.

Select the curve order, #E(Fp), such that
p  1  2 p  # E (Fq )  p  1  2 p

Check that #E(Fp) is divisible by a large prime number, r.

Check that r does not divide pv-1 for v = 1, 2, 3, ……10.

Use the Atkin-Morain algorithm to find parameters a and b in Fp such that the elliptic curve E has an
order of #E(Fp).
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 26
26
Selecting a Generator Point
•
Select a random point G on
E(Fp) and a large prime
number n that divides #E(Fp).
•
Check that the nG = O, n being
the point order.
The size of the odd prime
modulus in bits is 15
Curve generated using Cryptomathic on line
generator at
http://www.cryptomathic.com/labs/ellipticcurved
emo.html#Key-Generation
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 27
27
Discrete Logarithmic Problem
• In the multiplicative group Zp* discrete logarithm (Diffie-Hellman,
ElGamal, DSS), the following is the discrete logarithm problem:
 Given elements y and x of the group, and a prime p, find a number k such
that y = xk mod p.
 For example, if y = 2, x = 8, and p = 341, then find k such that 2 ≡ 8k mod
341.
 In the Diffie-Hellman discrete logarithm, y is the public key, g is a large
random number, p is the modulo, and k is the private key that the
cryptanalyst is trying to find out.
Which one is the correct Private Key?
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 28
28
EC Discrete Logarithmic Problem
• Given an elliptic curve
a point P  E( Fp ) of an order
n, and a point Q  E(Fp ), determine the integer
k, 0≤ k ≥ n-1, such that Q = kP, provided that such
integer k exists.
E ( Fp ) ,
• Q is the public key and k is the private key.
• The scalar integer multiplication of an elliptic curve
point, P is defined as the process of adding P to itself k
times. Q = kP is analogous to exponentiation in a
discrete logarithm cryptosystem, i.e., it is an operation
that is easy to compute but very difficult and time
consuming to reverse.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 29
29
Elliptic Curve Public-Key Cryptography
• The scalar integer multiplication
of an elliptic curve point, P is
defined as the process of adding
P to itself k times. Q = k P.
• When the point (0,1) is added to
itself 13 times the result is the
point (9, 16).
• Q = k P = 13 * (0,1) = (9,16)
• Select
Q = Public Key = (9,16)
k = Private Key = 13
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 30
30
Brute Force Attack
• There is not a known algorithm
to attack ECC
• Brute force attack
 Starting with point (0,1), add (0,1)
to itself until (9,16) is found.
 Stop when Q = d P = (9, 16)
The size of the odd prime
modulus in bits is 5.
 The order of the base point is 28
 It would take a system doing a
million addition/sec, 14
microseconds to try 50% of all
possible points.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 31
31
Brute Force Attack
• There is not a known algorithm
to attack ECC
• Brute force attack
 Starting with point P, add P to
itself until Q is found.
 Stop when kP = Q
The size of the odd prime
modulus in bits is 161.
Equivalent to RSA 1024
 The order of the base point is
1.73*1046
 It would take a system doing a
million addition/sec (3.15*1018
additions/year) 1032 years to try
50% of all possible points.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 32
32
Breaking the Code
April 27, 2004
Certicom Corp. (TSX: CIC), the authority for strong,
efficient cryptography, today announced that Chris
Monico, an assistant professor at Texas Tech University,
and his team of mathematicians have successfully
solved the Certicom Elliptic Curve Cryptography (ECC)
109-bit Challenge. The effort required 2600 computers
and took 17 months. For comparison purposes, the
gross CPU time used would be roughly equivalent to
that of an Athlon XP 3200+ working nonstop for about
1200 years.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 33
33
Public Key Systems Key Size Comparisons
Blake, Seroussi, and Smart (1999, p9)
compared the two algorithms known to
break ECC and discrete algorithms.
Simplifying the formulas and making several
approximations, they arrived at the following
formula comparing key-length for similar
levels of security:
n   N 1/ 3 (log ( N log 2))2 / 3
where β ≈ 4.91. The parameters n and N
are the “key sizes” of ECC and DL
cryptosystems.
Minimum Size of Public keys (Bits)
Security
(Bits)
Symmetric
Encryption
Algorithm
Hash
Algorithm
80
SKIPJACK
SHA-1
112
3DES
128
AES-128
192
256
Elliptic Curve
ECC
Diffie-Hellman and RSA
Modulus Size
1024
1024
160
2048
2048
224
SHA-256
3072
3072
256
AES-192
SHA-384
7680
7680
384
AES-256
SHA-512
15360
15360
512
Elliptic Curve Cryptography
M. Mogollon – 34
34
Elliptic Curve
Cryptography
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 35
35
Domain Parameters
•
Parties using elliptic curve cryptography need to share certain
parameter, the “Elliptic Curve Domain Parameters”.
•
The EC domain parameters may be public; the security of the system
does not rely on these parameters being secret.
•
The domain consists of six parameters which are calculated differently
for Fp and F2m . It precisely specify an elliptic curve and base point.
•
The six domain parameters are the following:
T = (q; FR; a, b; G; n; h), in which,
q
Defines the underlying finite field Fq. The field size is defined by the
module, so, q = p or q = 2m ; p>3 should be a prime number.
FR Field representation of the method used for representing field elements in
 Fq , either E ( Fp ) or E ( F2m ).
a, b The coefficients defining the elliptic curve E, elements of Fq.
G A distinguished point, G=(xG ,yG), on an elliptic curve called the base point
or generating point defined by two field elements xG and yG in Fq.
n
The order of the base point G.
h
Called the cofactor, h = #E(Fq)/n, where n is the order of the base point G.
h is normally a small number.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 36
36
ECC Cryptography
• Encryption
 EC Integrated Encryption Scheme (ECIES)
– Variant of ElGamal public-key encryption
– Proposed by Bellare and Rogaway
– Variant of ElGamal public-key encryption schme
– ANSI X9.63, ISO/IEC 15946-3, and IEEE P1363a draft
 Provably Secure Encryption Curve (PSEC)
– Fujisaki and Okamoto
– Evaluated by NESSIE and CRYPTREC
• Key Exchange
 Station-to-Station Protocol
– Diffie, van Oorschot, and Wiener
– Discrete logarithm-base key agreement
– ANSI X9.63
 ECMQV
– Meneses, Qu, and Vanstone
– ANSI X9.63, IEEE 1363-2000, and ISO/IEC 15946-3
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 37
37
ECC Cryptography
• Digital Signature
 Elliptic Curve Digital Signature Algorithm (ECDSA)
– Analog to the Digital Signature Algorithm (DSA)
– Secure Hash Algorithm (SHS-1)
– ANSI X9.62, FIPS 186-2, IEEE1363-2000 and ISO/IEC 15946-2
 EC Korean Certificate-based Digital Signature Algorithm (EC-KCDSA)
– Lim and Lee
– ISO/IEC 15946-2.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 38
38
Key Generation
• The public and private keys of an entity A are associated with a
particular set of elliptic curve domain parameters (q; FR; a; b; G; n;
h). To generate a key pair, entity Alice does the following:
 Selects a random or pseudo-random integer d in the interval [1, n - 1].
 Computes Q = d * G.
 Has Q as public key, PubA, and d as private key, PrivA.
 Checks that xG and yG are elements of the elliptic curve equation by
2
3
calculating yQ 2  xQ 3  axQ  b mod p or yQ  xQ yQ  xQ  axQ  b in F2m .
• Example:
 For E(F23): y2 = x3 + x + 1, #E(F23) =28. Then, n=7, since n should be a prime
factor of 28.
 The cofactor h is equal to 28 / 7 = 4.
 A point with an order of 7 should be selected.
 The point G could be (5, 19), one of several points with n = 7. The domain
parameter T = (p; a; b; G; n; h) is T = [23; 1; 1; (5,19); 7, 4 ].
 Select d = 4, so Q = 4 (5, 19). (13, 16).
 Alice’s public key is PubA = Q = (13, 16) and her private key is PrivA = 4.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 39
39
ECC ElGamal Encryption
Alice
Bob
• Let T = (p; a; b; G; n; h) and
PubA  PrivA  G mod p be
T and PubA do not
need to be secret.
Alice’s public key.
as his private key and generates
his public key using the same
elliptic curve and G point.
• Bob enciphers the message, M,
• Alice deciphers the message by
 Multiplying her private key PrivA
by (PrivB . G).
• Bob selects a random number
CM, PubB
 Subtracting the above result
from M + PrivB . PubA.
by doing
CM = [{PrivB* G}, {M + PrivB*PubA }]
• Bob sends his PubB and cipher
message to Alice.
CM = [{PrivB* G}, {M + PrivB*PubA }]
M = {M + PrivB * PubA } – { PrivA * PrivB * G}
Since PubA = PrivA * G, then,
M = {M + PrivB * (PrivA . G)} – { PrivA * (PrivB * G)}
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 40
40
ECC ElGamal Encryption
Alice
• Let T = [23; 1; 1; (5,19); 7; 4 ]
and select 4 as the PrivA,
Bob
T and PubA do not
need to be secret
PubA  4  (5, 19) mod 23
CM = [{5*(5, 19)}, {(8, 20) + 5* (13, 16)}]
as the public key.
 Multiplying her private key 4 by
(18,11) = (5, 4).
 Subtracting the above result
from (17, 20)
M = (17,20) – (5, 4)
 M = (17,20) + (5, -4) = (8, 20)
• The message is the point (8,20).
• Bob enciphers the message by
PubA  (13, 16) mod 23
• Alice deciphers the message by
• Bob selects 4 as his private key.
CM, PubB
• Bob sends his PubB and cipher
message
CM = [(17, 20), (18,11)] to Alice.
Note: The cofactor h =4 in T is not related
to the PrivA, which was selected at random
and happens to be 4, also.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 41
41
Diffie-Hellman Key Exchange System
Sender and receiver agree on the
same domain parameters.
T = (p; a; b; G; n; h), does
not need to be secret.
Alice
T = (p; a; b; G; n; h)
PrivB = Random large
prime integer
T = (p; a; b; G; n; h)
PrivA = Random large
prime integer
PubA  Priv A  G
mod p
ZZ  PubB  PrivA
Bob
PubA
PubB
PubB  PrivB  G
mod p
ZZ  PubA  PrivB
Alice and Bob convert the shared secret value z to an octet string Z
and use Z as the shared secret key for symmetric encryption
algorithms to secure their communications.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 42
42
Diffie-Hellman Key Exchange System
Bob
Alice
T = [23; 1; 1; (5,19); 7; 4 ]
T = [23; 1; 1; (5,19); 7; 4 ]
PubB  2  (5, 19) mod 23  (17, 23) mod 23
PubA  4  (5, 19) mod 23  (13, 16) mod 23
PubA  Priv A  G
mod p
PubA
z  PubB  PrivA
z  (17, 3)  4 mod 23  (5, 19) mod 23
PubB
PubB  PrivB  G
mod p
z  PubA  PrivB
z  (13, 16)  2 mod 23  (5, 19) mod 23
Note: The cofactor h =4 in T is not related
to the PrivA, which was selected at random
and happens to be 4, also.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 43
43
ECCDSA Signature Generation
Alice
• T = (p; a; b; G; n; h) and
PubA  PrivA  G mod p
Bob
T and PubA do not
need to be secret.
is Alice’s public key.
• Selects a random integer
• Computes H(m) and
k  [2 , n  2]
c  s 1 mod n
• Computes
k * G  ( x1 , y1 )
r  x1 mod n
• Computes
k 1 mod n
• Computes
s  k 1 {H (m)  PrivA . r} mod n
• The signature for the
message m is the pair of
integers (r, s).
Elliptic Curve
Verifies Alice’s signature
(r, s) on the message m as
follows:
(r, s)
• Computes
u1  H (m) . c mod n
u2  r . c modn
• Computes
( x0 , yo )  u1 * G  u2 * PubA
v  x0 mod n
• Accepts the signature if v = r.
Elliptic Curve Cryptography
M. Mogollon – 44
44
ECCDSA Signature Generation
Alice
• Let T = [23; 1; 1; (5,19); 7; 4 ] and
PubA  4  (5, 19) mod 23  (13, 16) mod 23
• Select k = 3
• Compute
( x1 , y1 )  k . G  3 . (5, 19)  (13, 7)
r  13 mod 7  6 mod 7
k 1 mod n
mod 7   2 mod 7  5 mod 7
• Compute
1
3
• Compute
1
s  k {H (m)  PrivA . r} mod n
s  5 (10  4 . 6) mod 7  175 mod 7  2 mod 7
• The signature for the message m
is the pair of integers (r, s), (6, 2).
Bob
Bob verifies Alice’s signature
(6, 2) on the message m as follows:
• Compute H(m) and c  s 1 mod n
c  21 mod 7   3 mod 7  4 mod 7
u1  H (m) . c mod n
• Compute
u2  r . c modn
u1  10 . 4 mod 7  5 mod 7
u2  6 . 4 mod 7  3 mod 7
• Compute ( x0 , yo )  u1 * G  u2 * PubA
( x0 , yo )  5 . (5, 19)  3 . (13, 16)
( x0 , yo )  (17, 20)  (17, 20)  (13, 7)
• Compute
v  x0 mod p  13 mod 7  6 mod 7
• Accept the signature because
v = 6 mod 7 = r .
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 45
45
Cipher Suite
• There are many algorithms that can be used for encryption, key
exchange, message digest, and authentication; the level of security for
each of these algorithms varies. Establishing a connection between two
entities requires that they tell each other what crypto algorithms they
understand. Normally one of the entities involved in the communication
proposes a list of algorithms, and the other entity selects the algorithms
supported by both. The selected algorithms may not have matching
levels of security, reducing the overall security of the communication.
• A cipher suite is a collection of cryptographic algorithms that matches the
level of security of all the algorithms listed in the cipher suite. To enable
secure communications between two entities, they exchange information
about which cipher suites they have in common, and they then use the
cipher suite that offers the highest level of security.
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 46
46
To Probe Further
•
Hankerson, D., Meneses, A., Vanstone S. (2004). Guide to Elliptic Curve Cryptography. New York:
Springer-Verlag.
•
Blake, I., Seroussi G., Smart, N. (1999). Elliptic Curves in Cryptography. Cambridge, United Kingdom:
Cambridge University Press.
•
•
Rosing, M. (1999). Implementing Curve Cryptography. Greenwich, CT: Manning Publications.
•
Brown, M., Cheung, D., Hankerson, D., Lopez, J., Kirkup, M., Menezes, A., PGP in Constrained Wireless
Devices, Proceedings of the 9th USENIX Security Symposium, August 2000.
•
Certicom Research, Standard for Efficient Cryptograph (SEC 1): Elliptic Curve Cryptograph, September
20, 2000. (Retrieved September 26, 2003 from http://www.secg.org/secg_docs.htm)
•
Certicom Research, Current Public-Key Crypto Systems, April 1997. (Retrieved on September 20, 2000
from )
•
Cryptomathic, Ellipt Curve Online Key Generation at
http://www.cryptomathic.com/labs/ellipticcurvedemo.html#Key-Generation
•
•
Certicom Elliptic Curve Tutorial at http://www.certicom.com/index.php?action=ecc,ecc_tutorial
Lopez, J., Dahab, R., An overview of Elliptic Curve Cryptography, Institute of computting , State
University of Campinas, sao Paulo Brazil, may 2, 2000. (Retrieved September 26, 2003 from
http://citeseer.nj.nec.com/lop00overview.html)
IEEE P1363, Standard Specifications for Public key Cryptography, draft 2000
Elliptic Curve
Elliptic Curve Cryptography
M. Mogollon – 47
47