1524 elliptic curve cryptography
TRANSCRIPT
THE TECH
NO
LOG
Y STREAM
Elliptic Curve Cryptography
Burt KaliskiChief Scientist and Director
RSA Laboratories
THE TECH
NO
LOG
Y STREAM
Outline
I. Elliptic curvesII. Elliptic curve cryptosystemsIII. Advantages and disadvantagesIV. Standardization efforts
THE TECH
NO
LOG
Y STREAM
Notation
• GF(q) or Fq: finite field with q elements– typically, q = p where p is prime, or 2m
• E(Fq): elliptic curve over Fq
• (x, y): point on E(Fq)• O: point at infinity
THE TECH
NO
LOG
Y STREAM
Acronyms
• EC = Elliptic Curve– as in EC Digital Signature Algorithm
• ECC = Elliptic Curve Cryptography
THE TECH
NO
LOG
Y STREAM
Part I: Elliptic Curves
THE TECH
NO
LOG
Y STREAM
Elliptic Curves
• An elliptic curve is the set of solutions (x, y) to an equation of the form
y2 = x3 + ax + bwhere 4a3 + 27b2 0, together with a point at infinity denoted O
• Originally developed to measure circumference of an ellipse
THE TECH
NO
LOG
Y STREAM
An Example Curve
• Over the reals, the solutions form a curve with one or two components
• Example:y2 = x3-x
THE TECH
NO
LOG
Y STREAM
Elliptic Curve Arithmetic
• A group law may be defined where the sum of two points is the reflection across the x-axis of the third point on the same line
• “Chords and tangents”
THE TECH
NO
LOG
Y STREAM
Group Law Axioms
• Closure• Identity:
P + O = O + P = P• Inverse:
(x, y) + (x, -y) = O• Associativity• Commutativity
THE TECH
NO
LOG
Y STREAM
Addition Formulae
• Let P1 = (x1, y1) and P2 = (x2, y2) be non-inverses
• Then P1 + P2 = (x3, y3) where
x3 = 2 - x1 - x2
y3 = (x1 - x3) - y1
and is the slope of the line: = (3x1
2+a)/2y1 if x1 = x2
= (y2-y1)/(x2-x1) otherwise
THE TECH
NO
LOG
Y STREAM
Elliptic Curves over Finite Fields
• An elliptic curve may be defined over any finite field GF(q)
• For GF(2m), the curve has a different form:
y2 + xy = x3 + ax2 + bwhere b 0
• Addition formulae are similar to those over the reals
THE TECH
NO
LOG
Y STREAM
Group Properties
• Let #E(Fq) denote the number of points on an elliptic curve E(Fq), including O
• Hasse bound: #E(Fq) = q+1-t, where
|t| 2 sqrt(q)• The group of points is either cyclic or
a product of two cyclic groups
THE TECH
NO
LOG
Y STREAM
Scalar Multiplication
• Scalar multiplication is repeated group addition:
cP = P + ··· + P (c times)where c is an integer
• For all P E(Fq),
nP = Owhere n = #E(Fq)
THE TECH
NO
LOG
Y STREAM
Elliptic Curve Research Areas
• EC over finite fields has been an increasing focus of research
1. Efficient elliptic curve arithmetic, scalar multiplication– including finite field arithmetic
2. Efficient curve generation3. Cryptographic properties
THE TECH
NO
LOG
Y STREAM
Some Interesting Applications
• Factoring (Lenstra 1985)
– running time of Elliptic Curve Method (ECM) depends on size of prime factors of a number, ideal for “smooth” numbers
• Primality proving (Goldwasser-Kilian 1986)
– under number-theory assumptions, method for proving primality in random polynomial time
• Fermat’s Last Theorem
THE TECH
NO
LOG
Y STREAM
Analogy with Multiplicative Groups
Elliptic CurveGroup
MultiplicativeGroup
point addition multiplication
scalarmultiplication
exponentiation
elliptic curvediscrete logarithm
discrete logarithm
THE TECH
NO
LOG
Y STREAM
Part II: Elliptic Curve Cryptosystems
THE TECH
NO
LOG
Y STREAM
Elliptic Curve Cryptosystems
• EC discrete logarithm problem• Domain parameters• Key pairs• Cryptographic schemes
THE TECH
NO
LOG
Y STREAM
EC Discrete Logarithm Problem
• Problem: Given two points W, G, find s such that W = sG– first suggested by Miller 1985, Koblitz 1987
• With appropriate cryptographic restrictions, this is believed to take exponential time– O(sqrt(r)) time, where r is the order of W
THE TECH
NO
LOG
Y STREAM
EC Discrete Logarithm Problem (cont’d)
• By comparison, factoring and ordinary discrete logarithms can be solved in subexponential time
• ECC thus offers much shorter key sizes than other public-key cryptosystems
THE TECH
NO
LOG
Y STREAM
Typical Cryptographic Restrictions
• #E(Fq) = kr for large prime r– k is cofactor
• GCD (k, r) = 1• “Anomalous” condition: r q• MOV condition: r does not divide qi-1
for small i
THE TECH
NO
LOG
Y STREAM
Domain Parameters
• Common values shared by a group of users from which key pairs may be generated
• User or trusted party may generate domain parameters
• Anyone may validate domain parameters
THE TECH
NO
LOG
Y STREAM
EC Domain Parameters
• Finite field Fq
• Elliptic curve E(Fq) with cryptographic restrictions
• Prime divisor r of #E(Fq)• Cofactor k• Base point G E(Fq) of order r
THE TECH
NO
LOG
Y STREAM
Generating EC Domain Parameters
1. Select a prime power q2. Select an elliptic cuve E over Fq with
cryptographic restrictions– order #E(Fq) = kr
3. Generate a point G of order r4. Output Fq, E(Fq), r, k, G
THE TECH
NO
LOG
Y STREAM
Selecting an Elliptic Curve
• Random method• Complex multiplication method• Subfield method
• Methods provide tradeoff between speed, “structure” in curves– less structure = more conservative in
assumptions about security
THE TECH
NO
LOG
Y STREAM
Random Method
1. Generate a random curve2. Count the number of points #E(Fq)
3. If restrictions not met, goto 1
• No structure, but step 2 may be slow• (Schoof 1985, etc.)
THE TECH
NO
LOG
Y STREAM
Complex Multiplication Method
1. Generate a curve order n with a small CM discriminant D
2. If restrictions not met, goto 13. Given D, find a curve with n points
• Fast, some structure, but complex• (Atkin-Morain 1991, Lay-Zimmer 1994)
THE TECH
NO
LOG
Y STREAM
Subfield Method
• For q = 2m with m composite1. Generate a curve over a subfield2. Count the number of points3. Apply formula to compute #E(Fq)
4. If restrictions not met, goto 1
• Fast, but significant structure• (Koblitz)
THE TECH
NO
LOG
Y STREAM
Generating a Point of Order r
1. Generate a point H E(Fq)
2. Compute G = kH3. If G = O, goto 14. Output G
THE TECH
NO
LOG
Y STREAM
Validating EC Domain Parameters
1. Check that q is a prime power2. Check that E is an elliptic curve over Fq
with cryptographic restrictions– order #E(Fq) = kr, where r is prime
3. Check that G is a point on E(Fq) of order r4. Output valid if all checks pass, invalid
otherwise
THE TECH
NO
LOG
Y STREAM
Key Pairs
• Pairs of public, private values with which users may perform cryptographic operations
• User or trusted third party may generate key pair
• Anyone may validate public key
THE TECH
NO
LOG
Y STREAM
EC Key Pairs
• Public key W E(Fq)• Private key s [1, r-1]
– where W = sG
THE TECH
NO
LOG
Y STREAM
Generating an EC Key Pair
1. Randomly generate s [1, n-1]2. Compute W = sG3. Output (W, s)
THE TECH
NO
LOG
Y STREAM
Validating an EC Public Key
• Assume valid domain parameters1. Check that W is a point on E(Fq) of
order r2. Output valid if so, invalid otherwise
THE TECH
NO
LOG
Y STREAM
Cryptographic Schemes
• Following general model from IEEE P1363, a scheme is a set of related operations providing the building blocks for a protocol
• Examples:– key agreement– signature with appendix– encryption
THE TECH
NO
LOG
Y STREAM
Scheme Operations
• Depending on the scheme, related operations may include:– domain parameter generation, validation– key pair generation, public-key
validation– one or more scheme-specific operations
THE TECH
NO
LOG
Y STREAM
Key Agreement Scheme
• Key agreement operation derives a shared secret key from a private key, another’s public key, and key derivation parameters
• Multiple secret keys can be obtained by varying parameters
THE TECH
NO
LOG
Y STREAM
Elliptic Curve Diffie-Hellman
• Key agreement scheme based on Diffie-Hellman protocol
• In IEEE P1363, ECKAS-DH1 with ECSDVP-DH primitive
• Underlying function:– KDF: key derivation function
THE TECH
NO
LOG
Y STREAM
ECDH Key Agreement
• Input: private key s, other’s public key W*, key derivation parameters P
• Output: shared secret key K1. Compute Z = sW*2. Compute K = KDF (Z, P)3. Output K
THE TECH
NO
LOG
Y STREAM
Key Agreement Modes
• Each key pair may be ephemeral, authenticated, or a combination, depending on security goals
• Examples of protocol modes:– anonymous– static-static– signed ephemeral-ephemeral– ephemeral-static
THE TECH
NO
LOG
Y STREAM
Signature Scheme
• Signature generation operation computes a signature on a message with a private key
• Signature verification operation verifies a signature with a public key
THE TECH
NO
LOG
Y STREAM
Elliptic Curve Digital Signature Algorithm
• Signature scheme based on NIST FIPS 186-1 DSA
• In IEEE P1363, ECSSA with ECSP/VP-DSA primitives
• Underlying function– Hash: collision-resistant hash function
THE TECH
NO
LOG
Y STREAM
ECDSA Signature Generation
• Input: private key s, message M• Output: signature (c,d)1. Compute f = Hash (M)2. Generate a one-time key pair (u, V)3. Compute c = int (xV) mod r4. Compute d = u-1(f + sc) mod r5. If c = 0 or d = 0, goto 26. Output (c,d)
THE TECH
NO
LOG
Y STREAM
ECDSA Signature Verification
• Input: signer’s public key W, message M, signature (c,d)
• Output: valid or invalid1. Compute f = Hash (M)2. Check that 1 c,d r-13. Compute h = d-1 mod r4. Compute P = fhG + chW(cont’d)
THE TECH
NO
LOG
Y STREAM
ECDSA Signature Verification (cont’d)
5. Check that P O6. Check that c = int (xP) mod r7. If all checks pass, output valid,
otherwise output invalid
THE TECH
NO
LOG
Y STREAM
Encryption Scheme
• Encryption operation computes a ciphertext from a message with a public key
• Decryption operation recovers a message from a ciphertext with a private key
• Augmented encryption scheme also binds control information to message
THE TECH
NO
LOG
Y STREAM
Elliptic Curve Augmented Encryption Scheme
• Augmented encryption scheme based on DHAES (Bellare-Rogaway 1998)
• In ANSI X9.63 draft• Underlying functions:
– KDF: key derivation function– Encrypt: symmetric encryption– MAC: message authentication code
THE TECH
NO
LOG
Y STREAM
ECAES Encryption
• Input: recipient’s public key W, message M, control information P
• Output: ciphertext (V,C,T)1. Generate a one-time key pair (u,V)2. Compute Z = uW3. Compute (K1,K2) = KDF (Z)(cont’d)
THE TECH
NO
LOG
Y STREAM
ECAES Encryption (cont’d)
4. Compute C = Encrypt (K1,M)
5. Compute T = MAC (K2,C || P)
6. Output (V,C,T)
Note: Steps 1–3 are like ECDH ephemeral-static
THE TECH
NO
LOG
Y STREAM
ECAES Decryption
Input: private key s, ciphertext (V,C,T), control information P
Output: message M or invalid1. Compute Z = sV2. Compute (K1,K2) = KDF (Z)(cont’d)
THE TECH
NO
LOG
Y STREAM
ECAES Decryption (cont’d)
3. Compute M = Decrypt (K1,C)
4. Check that T = MAC (K2,C || P)
5. If the check passes, output M, otherwise output invalid
THE TECH
NO
LOG
Y STREAM
Some Observations
• In these schemes, only one or two steps are EC operations, some are modular arithmetic, the rest are Hash, KDF, Encrypt, MAC– the additional operations help provide
provable security• Schemes are readily adapated to
multiplicative groups
THE TECH
NO
LOG
Y STREAM
Part III: Advantages and Disadvantages
THE TECH
NO
LOG
Y STREAM
Advantages and Disadvantages
• Three families• Key size comparison• Advantages• Disadvantages
THE TECH
NO
LOG
Y STREAM
Three Families
• Today, three families of public-key techniques are prominent
• Following P1363, named according to the hard problem:– DL: (ordinary) discrete logarithms– EC: elliptic curve discrete logarithms– IF: integer factorization
• Each has its own advantages
THE TECH
NO
LOG
Y STREAM
Key Size Comparison
• Key size is length in bits of:– DL: field order q
• also consider group order r– EC: group order r– IF: modulus n
• Key sizes can be compared based on running time for solving hard problem with current methods– other factors to consider
THE TECH
NO
LOG
Y STREAM
Comparable Key Sizes(Based on Running Time)EC DL, IF Symmetric
112 512 56
160 1024 80
224 2048 112
THE TECH
NO
LOG
Y STREAM
Advantages
• Alternative hard problem• Speed• Data size• New types of schemes• Many options
THE TECH
NO
LOG
Y STREAM
Alternative Hard Problem
• EC Discrete Logarithm Problem is very different than DL, IF hard problems– does not appear feasible to apply DL, IF
approaches to solve it• Thus, it is an effective alternative
against advances in methods for other problems
THE TECH
NO
LOG
Y STREAM
Speed
• EC operations are generally faster than DL, IF counterparts at comparable key sizes– GF(2m) arithmetic affords further
speedups• Key pair generation is much faster
than for IF
THE TECH
NO
LOG
Y STREAM
Data Size
• EC data are shorter than DL, IF counterparts
• Intermediate values are shorter• Keys are shorter
– benefit depends on certificate content• Signatures with appendix are same
size as for DL, shorter than IF
THE TECH
NO
LOG
Y STREAM
New Types of Schemes
• EC family, like DL, has great flexibility due to the availability of common domain parameters
• Multiple schemes can be combined efficiently, e.g.:– signature + encryption– signature / key agreement + certification– (Zheng 1997, Arazi 1998, Vanstone)
THE TECH
NO
LOG
Y STREAM
Many Options
• EC family affords many choices:– field type, size, representation– curve formula– group order– base point– cryptographic scheme
• Appropriate choices can meet varying security and implementation objectives
THE TECH
NO
LOG
Y STREAM
Disadvantages
• Alternative hard problem• Curve generation• Many options
THE TECH
NO
LOG
Y STREAM
Alternative Hard Problem
• ECDLP has not been studied as long as DL, IF hard problems, and even a modest improvement in methods could have great impact
• However, the focus on this area has grown considerably over the past few years, with increased confidence
THE TECH
NO
LOG
Y STREAM
Curve Generation
• EC curve generation is complex, not readily implemented
• However, implementers can rely on third parties for curves, which can be validated– e.g., NIST curves
THE TECH
NO
LOG
Y STREAM
Many Options
• ECC affords many options, so interoperability is challenging:– no conversion between GF(2m), GF(p)– hardware optimizations may be specific
to one set of domain parameters• However, much of this will be settled
by standards and industry practice
THE TECH
NO
LOG
Y STREAM
Part IV: Standardization Efforts
THE TECH
NO
LOG
Y STREAM
Standardization Efforts
• Elliptic curves are parts of standards being developed by several groups:– ANSI X9F1– IEEE P1363– ISO JTC1 SC27– SECG– U.S. NIST
• Generally, all three families arebeing developed together
THE TECH
NO
LOG
Y STREAM
ANSI X9F1
• Cryptographic techniques for U.S. financial services industry
• ANSI X9.62 specifies ECDSA• ANSI X9.63 (draft) specifies ECDH,
ECAES and more• Technical Guideline on elliptic curve
mathematics• www.x9.org
THE TECH
NO
LOG
Y STREAM
IEEE P1363
• Public-key cryptography specifications, transnational
• Specifies ECDH, ECDSA and much more (including other families)– framework for ANSI X9F1 work
• ECAES proposed for addendum• grouper.ieee.org/groups/1363
THE TECH
NO
LOG
Y STREAM
ISO SC27
• IT security techniques, international• ISO/IEC DIS 14888-3 includes ECDSA
– aligned with ANSI X9.62• ISO/IEC CD 15946 covers elliptic curve
techniques including digital signatures, key establishment
• www.iso.ch/meme/JTC1SC27.html
THE TECH
NO
LOG
Y STREAM
SECG
• Standards for Efficient Cryptography Group
• Industry implementers agreements, intended to profile other standards
• www.secg.org
THE TECH
NO
LOG
Y STREAM
U.S. NIST
• Information processing for U.S. government
• FIPS 186 (Digital Signature Standard) to add support for ANSI X9.62
• Eventual ANSI X9.63 support likely• Reference elliptic curves published• csrc.nist.gov/fips
THE TECH
NO
LOG
Y STREAM
Summary
THE TECH
NO
LOG
Y STREAM
Summary
• ECC offers an attractive alternative to other public-key cryptosystems– new hard problem– smaller key size
• Many standards are emerging• Number theory continues to be useful