advanced information security 1 introduction to ecc dr. turki f. al-somani 2015 1
TRANSCRIPT
1
Advanced Information Security 1 INTRODUCTION TO ECC
Dr. Turki F. Al-Somani2015
2
Module Outlines
Introdcution to Cryptography Symmetric Key Cryptography Public Key Cryptography
Elliptic Curve Cryptosystems Point Operations Scalar Multiplication Projective Coordinates Field Operations Challenges, Opportunities
3
Cryptography Definitions
Encryption is a process by which a message (called plaintext) is transformed into another message (called ciphertext) using a mathematical function and a special encryption password (called a key).
Decryption is the reverse process: transforming a ciphertext message back into its original plaintext form using a mathematical function and a key.
The mathematical functions and keys used for encryption and decryption may be the same, or may be different.
4
Cryptography Definitions
Symmetric key cryptography: encryption and decryption keys are identical, so the key must be kept secret. (This approach is also called secret key cryptography.)
Public key cryptography: different keys for encryption and decryption (one public, the other private).
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
5
Symmetric Key Cryptography
Same key decrypts and encrypts information. The encryption functions used need not be secret, but
the keys used must be secret. The encryption and decryption functions used can be
the same or different. Examples:
ROT13: Very simple rotation algorithm Caesar cipher: Another (better) rotation algorithm crypt: Original Unix encryption program DES: Data Encryption Standard AES: Advanced Encryption Standard Skipjack: U.S. National Security Agency developed
algorithm (classified)
6
Symmetric Key Cryptography
Cryptographic algorithms involve substituting one thing for another, in many possible ways. Caesar cipher: substitute each letter by the letter that appears k
letters later in the alphabet; while producing what looks like gibberish, there are only 25 possible keys available.
Mono-alphabetic cipher: substitute one letter for another; now there are 26! possibilities.
Poly-alphabetic cipher: each letter could be substituted by multiple other possible letters; for example, by using several mono-alphabetic ciphers, depending on the position in the message.
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: mnbvcxzasdfghjklpoiuytrewq
Plaintext: bob. i love you. alice
ciphertext: nkn. s gktc wky. mgsbc
E.g.:
7
Symmetric Key Cryptography
Q: How hard is it to break these simple ciphers? Brute force: attempt all possibilities
Simple with the Caesar cipher, but gets quite difficult with mono-alphabetic or poly-alphabetic ciphers.
Ciphertext-only attack: use statistics and other information to decrypt intercepted ciphertext For example, simple statistics on letter placement and occurrence
in English makes further decryption simpler. Known-plaintext attack: if some of the plaintext is known, one could
uncover some of the plaintext-ciphertext mappings, making decryption easier. For example, if we knew “alice” was in the message, we get some
of the mappings right away without much difficulty. Chosen-plaintext attack: the intruder can choose the plaintext
message and receive the ciphertext form. It gets much easier to decrypt messages; mono-alphabetic
ciphers are easily broken, and poly-alphabetic ciphers get much easier too.
8
Symmetric Key Cryptography: Key Issues
Symmetric key cryptography: Bob and Alice share the same (symmetric) key: K
For example, the key is knowing substitution pattern in a monoalphabetic substitution cipher.
Question: How do Bob and Alice agree on key value? What if Bob and Alice have never “met” before?
Even Better Question: How is the agreed upon key distributed to both Bob and Alice in a secure fashion?
plaintextciphertext
KA-B
encryptionalgorithm
decryption algorithm
KA-B
plaintextmessage, m
K (m)A-B
K (m)A-B
m = K ( ) A-B
9
General approaches to Cryptography There are two general encryption methods: Block ciphers &
Stream ciphers Block ciphers
Slice message M into (fixed size blocks) m1, …, mn Add padding to last block
Use Ek to produce (ciphertext blocks) x1, …, xn
Use Dk to recover M from m1, …, mn
Stream ciphers Generate a long random string (or pseudo random)called one-time pad.
Message XOR one-time pad
10
Stream Ciphers Binary pad (keystream), use XOR instead of addition Plaintext = original, unencrypted data Ciphertext = encrypted data
Plaintext 1 0 0 1 0 1 1Keystream XOR 0 1 0 1 1 0 1
Ciphertext 1 1 0 0 1 1 0Keystream XOR 0 1 0 1 1 0 1
Plaintext 1 0 0 1 0 1 1
Two XORs with the same data always cancel out
11
Stream Ciphers
Using the keystream and ciphertext, we can recover the plaintext
But, using the plaintext and ciphertext, we can recover the keystream
Using two ciphertexts from the same keystream, we can recover the XOR of the plaintexts
Any two components of an XOR-based encryption will recover the third
Never reuse a key with a stream cipher Better still, never use a stream cipher
12
Block Ciphers Originated with early 1970’s IBM effort to develop banking
security systems First result was Lucifer, most common variant has 128-bit
key and block size It wasn’t secure in any of its variants
Called a Feistel or product cipher
13
Block Ciphers
f()-function is a simple transformation, doesn’t have to be reversible
Each step is called a round; the more rounds, the greater the security (to a point)
Most famous example of this design is DES: 16 rounds 56 bit key 64 bit block size (L,R = 32 bits)
Designed by IBM with, uh, advice from the NSA
14
Public Key Cryptography
Symmetric key cryptography Requires both the sender
and receiver to know the shared secret key.
Question: how do they agree on the key in the first place (particularly if they have never “met”)?
Public key cryptography• Radically different
approach [Diffie-Hellman76, RSA78].
• Sender and receiver do not share secret key.
• Public encryption key known to all.
• Private decryption key known only by the owner.
14
15
Public Key Cryptography
Keys are generated in pairs. Public key is publicly registered so everyone knows it, and
private one is kept secret by the owner. Each key can decrypt what the other encrypts, but not
what it encrypts itself. (That’s why this is sometimes called assymetric cryptography.)
Important properties of key generation: There is a one-to-one correspondence in the generated
key pairs – if one key can decrypt a message, it must have been encrypted by the other.
It must be extremely difficult, if not impossible, to deduce the private key when given a public key.
16
Public Key Cryptography
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s public key
plaintextmessage
K (m)B
+
K B
+
Bob’s privatekey
K B
-
m = K (K (m))B
+
B
-
17
Public Key Cryptography
This property will be very useful later:
K (K (m)) = m BB
- +K (K (m))
AA+ -
=
use public key first, followed by
private key
use private key first, followed by
public key
Result is the same!
18
Public Key Encryption Algorithms
Diffie-Hellman: the first public key approach proposed.
RSA: the best known public key system, developed by Rivest, Shamir, and Adleman (hence RSA). Patents on this approach expired recently, allowing others to take advantage of it without licensing from RSA Security Inc.
DSA: Digital Signature Algorithm, developed by the U.S. National Security Agency (NSA).
Elliptic Curve Cryptosystems (ECC)
19
Symmetric vs. Public Key Cryptography
Which method provides stronger security? With suitable keys and algorithms, both methods can be
secure enough for most purposes.
Which method is more convenient? To use symmetric cryptography, both parties must know
the secret key, which can be quite inconvenient. To use public key cryptography, one only needs to find the
public key to communicate with someone else, which can be a lot more convenient.
Which method performs better? Encrypting and decrypting a lot of information with public
key cryptography can be painfully slow in comparison to symmetric cryptography.
20
Hybrid Secret-Public Key Cryptography
Ideally, we would like to combine the strengths of symmetric and public key cryptography, and avoid their weaknesses. We want the efficiency of symmetric cryptography
combined with the ease of use and convenience of public key cryptography.
When two parties want to communicate securely, public key cryptography is used to exchange a random symmetric session key. Since the session key is encrypted, we can ensure secrecy
and mutual authentication. Thus, key distribution and setup is easy and risk-free.
21
Hybrid Secret-Public Key Cryptography
To communicate, symmetric cryptography is used with the session key. Since only these two parties know the session key, the
messages are secure. Since secret key cryptography is used, this can be done
relatively efficiently.
When done, both parties destroy the session key. If communication is required in the future, this process is repeated from the beginning to obtain a completely new session key.
This general approach is used in Pretty Good Privacy (PGP) and elsewhere.
22
Elliptic Curve Cryptosystems What are Elliptic Curve Cryptosystems
(ECCs)? An ECC is a cryptography system based on
elliptic curve theory that can be used as a faster, smaller, and more efficient cryptosystem.
Who introduced it and when? Miller and Koblitz (independently) in mid 1980s.
What is the basic principle? Obtaining the same level of security as
conventional cryptosystems but with much smaller key size.
23
Why ECC ?
RSA and ElGamal Based on Integer Factorization Problem (IFP) There exist sub-exponential algorithms for solving such
problem. ECC
Based on Elliptic Curve Discrete Logarithm Problem (ECDPL)
There is no sub-exponential algorithm known for solving ECDPL.
ECC is more secure than RSA or ElGamal using much smaller key size can achieve the same
security as RSA or ElGamal with large key size. RSA and ElGamal (1-2k bits). ECC 160-bits only .. !!
Standardized by ANSI, IEEE, NIST, SEC and WTLS.
24
Point Addition
-3 -2 -1 0 1 2 3-4
-3
-2
-1
0
1
2
3
4
Q
P3P1
P2
Steps to find sum of two points: Join P1 and P2 Line meets the
curve at Q The result is the
replica of Q around x-axis, P3.
P1 + P2 = P3
25
Point Doubling
What would happen if the two points lies on each other. Adding a point to
itself (doubling) Draw a tangent line
through P, Line meets the
curve at R', The result is the
replica of R' around x-axis, R
P+P = 2P = R-3 -2 -1 0 1 2 3-4
-3
-2
-1
0
1
2
3
4
R'
RP
26
Scalar Multiplication
Also called point multiplication KP = P + P + P
+ … + P (K times)
Where K is an integer.
-3 -2 -1 0 1 2 3-4
-3
-2
-1
0
1
2
3
4
3P
2PP
27
Elliptic Curve Discrete Logarithm
Problem (ECDLP)
Given an elliptic curve
and a basis point P, we can compute
Q = KP
through k-1 iterative point additions.
Question: Is it possible to compute K when the point Q is known?
Answer: This is a hard problem known as the Elliptic Curve Discrete Logarithm (ECDLP).
Q = (x3,y3) = 3(x1,y1)
28
Scalar Multiplication Algorithms
K can be expanded to binary representation.
012
21
1 2.......22 kkkkK nn
nn
PkPkPkPkKP nn 0121 )...)))(2(2(...2(2
INPUT K, POUTPUT KP1. Initialize Q[0] = , Q[1] = P2 for i = 0 to n-13 if k[i] = 1 then4 Q[0] = ADD(Q[0],Q[1])5 end if6 Q[1] = DBL(Q[1])7 end for8 return Q[0]
INPUT K, POUTPUT KP1. Initialize Q[0] = P2 for i = n-2 downto 03 Q[0] = DBL(Q[0])4 if k[i] = 1 then5 Q[0] = ADD(Q[0],P)6 end if7 end for8 return Q[0]
29
Finite Fields
GF(p) (Prime finite field) Elements are integers
modulo p (0,1..p-1)
Operations are performed modulo p.
The prime number p is called the modulus of GF(p).
GF(2m) (Binary finite field) Elements are
polynomials with degree < m and coefficients modulo 2
Operations are performed modulo a reduction polynomial with degree = m.
The reduction polynomial is called the irreducible polynomial of GF(2m).
30
ECC Algebraic Approach
In E/GF(p)
Addition
Doubling
In E/GF(2m)
Addition
Doubling
)/()(,
)(
1212
1313
212
3
xxyywhere
yxxy
xxx
121
1313
12
3
2/)3(,
)(
2
yaxwhere
yxxy
xx
)/()(, 1212
13313
212
3
xxyywhere
yxxxy
axxx
111
13313
23
/, xyxwhere
yxxxy
ax
baxxy 32 baxxxyy 232
31
Projective Coordinates
Projective coordinate system (x, y) → (X, Y, Z) only 1 inversion.
Projective Coordinate Systems: Homogenous (X/Z, Y/Z) Jacobian (X/Z2, Y/Z3) Lopez-Dahab (X/Z, Y/Z2) Mixed Edwards Coordinates
32
Why Projective Coordinates ?
In E/GF(p) One inversion operation
costs 9 to 30 multiplications
for 100 bits or more field elements
In E/GF(2m) One inversion operation
costs Multiplications
w(m-1) = # of 1s in the binary representation of (m-1)
1)1()1(log2 mwm
Transferring the point coordinates into another coordinates that can eliminate the intermediate inversions is very important requirement
Projective point
Projective point
Scalar Multiplication
Affine point
Affine point
33
Filed Arithmetic: GF(2m)
Finite fields Computations: coding theory and
public-key cryptosystems .
The most commonly used basis are: polynomial basis (PB)
and normal basis (NB). rotation,
shifting,
and XORing
34
Challenges, Opportunities and more ..
Efficient Designs and Architectures (Area, Time & Power): Scalar Multiplication Algorithms Projective Coordinate Systems Field Arithmetic
b2
b4
b3
b5
b5
b0
b2
b1
b3
b4
b1
+
+
+
+
+
a1 a2 a3 a4 a5
+ +
+
+
c1
35
Challenges, Opportunities and more ..
Security Against Side Channel Attacks
Every computing device acts also as a source of additional information called side channel leak information
There are many side channel attacks in the literature
FaultData-dependent
Power ConsumedOperation dependent
Data-and-operation dependent
Execution timeData-and-operation dependent
Magnetic fieldOperation dependent
Data-and-operation dependent
36
Challenges, Opportunities and more ..
Security Against Side Channel Attacks
(a) Power consumption trace of ECC scalar multiplication.
(b) Power consumption trace of ECC point doubling operation.
37
Challenges, Opportunities and more ..
Implantations: ASIC, FPGA, Smart Cards, WSN, …
38
Challenges, Opportunities and more ..
Parallel & Pipelined ECCs
39
THANKS & GOOD LUCK NEXT IS: 2 SCALAR MULTIPLICATION
Dr. Turki F. Al-Somani2015