elliptic curve cryptography an introduction

CryptographyElliptic Curves

EC Cryptographic PrimitivesPairings

Elliptic Curve CryptographyAn Introduction

Dr. F. Vercauteren

Katholieke Universiteit Leuven

22 April 2008

Dr. F. Vercauteren Elliptic Curve Cryptography An Introduction



Cryptography

Elliptic Curves

EC Cryptographic Primitives

Pairings




Cryptography

Cryptography provides the technical means to secureinformation in electronic form.

I Confidentiality: protection of data from unauthorizeddisclosure.

I Data integrity: assurance that data received are exactly assent by an authorized entity.

I Authentication: assurance that the communicating entity isthe one that it claims to be.

I Non-repudiation: prevents an entity from denying previouscommitments or actions.




Symmetric Key Cryptography

PLAINTEXT

110100011100

PLAINTEXT

110100011100

CIPHERTEXT

????????????

SYMMETRIC KEY CRYPTOSYSTEM

ENCRYPTION KEY DECRYPTION KEY

=

ALICE BOB




Public Key Cryptography

PLAINTEXT

110100011100

PLAINTEXT

110100011100

CIPHERTEXT

????????????

CIPHERTEXT

????????????

PUBLIC KEY CRYPTOSYSTEM

ENCRYPTION KEY DECRYPTION KEY

ALICE BOB

PUBLIC KEY

OF BOBPRIVATE

KEY OF BOB

PUBLIC LIST




Factoring and Discrete Logarithm Problem

I Rivest-Shamir-Adleman (1977): RSA based on factoring.I Main idea: easy to find two large primes p and q, but very

hard to find p and q from n = p · q.I RSA still most popular public key cryptosystem.

I ElGamal (1984): discrete logarithm problem (DLP).I Group G is set with operation · and each element has

inverse.I Main idea: very easy to compute h = gx for given x , but

very hard to find x given h and g.I Popular choices: finite fields and elliptic curves.




Diffie-Hellman Key AgreementChoose a large prime number p and a generator α mod p

Alice BobxA ∈R [1,p − 1], αxA

−αxA

−−−−−−−−→xB ∈R [1,p − 1], αxB

←αxB

−−−−−−−−−KBA = (αxB)xA KBA = (αxA)xB

I Note: all calculations mod pI Security based on Diffie-Hellman problem: given αxA andαxB compute αxAxB




Elliptic Curves

DefinitionI Elliptic curve E over field K is defined by

y2 + a1xy + a3y = x3 + a2x2 + a4x + a6,ai ∈ K

I The set of K-rational points E(K) is defined as

E(K) = {(x , y) ∈ K×K | y2+a1xy+a3y = x3+a2x2+a4x+a6}∪{∞}

I ∞ is called point at infinity

TheoremThere exists an addition law on E and the set E(K) is a group




Elliptic Curves over R

−8 −6 −4 −2 0 2 4 6 8

−6

−4

−2

0

2

4

6

−6 −4 −2 0 2 4 6 8

−6

−4

−2

0

2

4

6

y2 = x3 + 4x2 + 4x + 3 y2 = x3 − 7x + 6




Addition Law on Elliptic Curves

−6 −4 −2 0 2 4 6

−4

−2

0

2

4

P ⊕ Q

Q

P

R

L′

L

−6 −4 −2 0 2 4 6

−4

−2

0

2

4

2P

P

L′

L

R

Adding two points Doubling a pointy2 = x3 − 7x + 6




Addition Law on Elliptic CurvesBy definition: three points on a line sum to zero!

Let P1 ⊕ P2 = P3, with Pi = (xi , yi) ∈ EI If x1 = x2 and y1 + y2 + a1x2 + a3 = 0, then P1 ⊕ P2 =∞,I Else

x1 6= x2

{λ = (y2 − y1)/(x2 − x1)ν = (y1x2 − y2x1)/(x2 − x1)

x1 = x2

{λ = (3x2

1 + 2a2x1 + a4 − a1y1)/(2y1 + a1x1 + a3)ν = (−x3

1 + a4x1 + 2a6 − a3y1)/(2y1 + a1x1 + a3)

The point P3 = P1 ⊕ P2 is given by

x3 = λ2 + a1λ− a2 − x1 − x2y3 = −(λ+ a1)x3 − ν − a3




Finite Fields

I Practical applications need exact arithmetic, soI not R since not exactI not Q since size of numbers involved grows too fast

I Consider elliptic curves over finite fields:I Fp with p prime: represented by Z mod pI F2n with 2n elements: represented by F2[X ] mod P(X ), i.e.

binary polynomials modulo an irreducible polynomial P(X )




Elliptic Curves over Finite Fields

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22012345678910111213141516171819202122

uu

u

u

u

uuu

uu

uu

u

u

uu

u

u

uu

u

u

u

u

u

u

The elliptic curve y2 = x3 + x + 3 mod 23




Number of Points on Elliptic Curve

I Theorem: the cardinality #E(Fq) satisfies

#E(Fq) = q + 1− t

with |t | ≤ 2√

q.I For gcd(q, t) = 1, all possibilities occur.




Elliptic Curve DLP

I Let G be an abelian group generated by P ∈ GI Let Q = s · P, then the DLP is to compute s given P and QI Classically: G = F×qI For G = E(Fq), the DLP is called ECDLP

Note: can translate primitives based on DLP to ECDLP setting




Security of ECDLP: General AttacksI Exhaustive search: impossible if group order > 280

I Pohlig-Hellman: suppose #E(Fq) = ps11 · p

s22 · · · p

skk , then

can reduce ECDLP to subgroups of order pi⇒ #E(Fq) should have large prime divisor p

I Pollard rho & lambda: random walk, constant space, timecomplexity is O(

√p)

Conclusion:I #E(Fq) > 2160 and divisible by large prime pI Best general attack is exponential in pI DLP in Fq is sub-exponential: Lq[1/3,b] with

LN [a,b] = O(

e(b+O(1))(ln N)a(ln ln N)1−a)




Comparison with RSA & DSA: Security

0 1000 2000 3000 4000 5000 6000 7000 8000 9000 100000

50

100

150

200

250

300

350

400

450

500

Keylength conventional systems RSA and DSA

Key

leng

th e

llipt

ic c

urve

sys

tem

Key lengths in bits for equivalent cryptographic strength

ECDSA

RSA & DSA




Overview

I Key Agreement PrimitivesI ECDH: EC Diffie-Hellman Secret Value DerivationI ECMQV: EC Menezes-Qu-Vanstone Secret Value

DerivationI Signature Primitives

I ECNR: EC Nyberg-Rueppel SignaturesI ECDSA: EC Digital Signature Algorithm

I Encryption PrimitivesI ECIES: EC Integrated Encryption Scheme




PairingsI Let G1, G2, GT be groups of prime order `. A pairing is a

non-degenerate bilinear map e : G1 ×G2 → GT .I Bilinearity:

I e(g1 + g2,h) = e(g1,h)e(g2,h),I e(g,h1 + h2) = e(g,h1)e(g,h2).

I Non-degenerate:I for all g 6= 1: ∃x ∈ G2 such that e(g, x) 6= 1I for all h 6= 1: ∃x ∈ G1 such that e(x ,h) 6= 1

I Examples:I Scalar product on vectorspace over finite fields

〈·, ·〉 : Fnq × Fn

q → Fq .

I Weil- and Tate pairings on elliptic curves and abelianvarieties.




Pairings in cryptography

I Exploit bilinearity: original schemes G1 = G2I MOV: DLP reduction from G1 to GT

DLP in G1 : (g, xg)⇒ DLP in GT : (e(g,g),e(g,g)x)

I Decision DH easy in G1

DDH : (g,ag,bg, cg) test if e(g, cg) = e(ag,bg)

I Identity based crypto, short signatures, . . .




Torsion subgroups

I E [`] subgroup of points of order dividing `, i.e.

E [`] = {P ∈ E(Fq) | [`]P =∞}

I Structure of E [`] for gcd(`,q) = 1 is Z/`Z× Z/`Z.I Let `|#E(Fq), then E(Fq)[`] gives at least one component.I Embedding degree: k minimal with ` | (qk − 1).I Note `-roots of unity µ` ⊆ F×qk .

I If k > 1 then E(Fqk )[`] = E [`].




Functions and divisorsI Consider the function f = (x−1)2(x+2)

x on P1

−4 −3 −2 −1 0 1 2 3 4−25

−20

−15

−10

−5

0

5

10

15

20

I Divisor of f : (f ) = 2(P1) + (P−2)− (P0)− 2(P∞)

I Support of (f ): Supp((f )) = {P1,P−2,P0,P∞}I Given divisor (f ), function is determined up to constant.




Miller functions

I Let P ∈ E(Fq) and n ∈ N.I A Miller function fn,P is any function in Fq(E) with divisor

(fn,P) = n(P)− ([n]P)− (n − 1)(∞)

I fn,P is determined up to a constant c ∈ F×q .I fn,P has a zero at P of order n.I fn,P has a pole at [n]P of order 1.I fn,P has a pole at∞ of order (n − 1).I For every point Q 6= P, [n]P,∞, we have fn,P(Q) ∈ F×q .




Tate pairing

I Let P ∈ E(Fqk )[`] and f`,P ∈ Fqk (E) with

(f`,P) = `(P)− `(∞)

I Note: f`,P has zero of order ` at P and pole of order ` at∞.I Tate pairing is defined as (assuming normalisation)

〈P,Q〉` = f`,P(Q)

I Technical stuff: need to adjust domain and image

〈·, ·〉` : E(Fqk )[`]× E(Fqk )/`E(Fqk )→ F×qk/(F×qk )`




Reduced Tate pairing

I By definition, value of 〈·, ·〉` only defined up to `-th powers.

〈·, ·〉` : E(Fqk )[`]× E(Fqk )/`E(Fqk )→ F×qk/(F×qk )`

I In practice: want unique output of the function!I Reduced Tate pairing e : E(Fqk )[`]× E(Fqk )/`E(Fqk )→ µ`

e(P,Q) = 〈P,Q〉`(qk−1)/` = f`,P(Q)(q

k−1)/`

I Tate pairing is bilinear and non-degenerate.




Miller’s Algorithm

I Use double-add algorithm to compute fn,P for any n ∈ N.I Exploit relation:

fm+n,P = fm,P · fn,P ·l[n]P,[m]P

v[n+m]P

I l[n]P,[m]P : the line through [n]P and [m]PI v[n+m]P : the vertical line through [n + m]PI Evaluate at Q in every step




Conclusions

I Elliptic curves provide an alternative to RSA & DSAI No sub-exponential time algorithm to solve ECDLPI Smaller key sizes, sometimes faster than DSA & RSA,

more future proofI Typical applications: PDA’s, phones, smart cards, . . .I Examples: Blackberry, Wii, German passports, future EMVI Pairings on elliptic curves: identity based crypto, short

signatures, . . .




EC Digital Signature Algorithm (ECDSA)

I ECDSA is elliptic curve analog of DSAI Used to provide data origin authentication, data integrity

and non-repudiationI Standards for ECC (including ECDSA & ECIES):

I ANSI X9.62, X9.63I NIST FIPS 186-2I IEEE 1363-2000I ISO/IEC 14888-3, 9796-4, 15946I SECG




EC Key Pair Generation

I Domain parametersI Elliptic curve E over finite field FqI Point G ∈ E(Fq), n = ord(G) and cofactor h = #E(Fq)/n

I Private and public keyI Select random integer d in the interval [1,n − 1]I Compute Q = d ·GI Public key is Q, Private key is d




ECDSA Signature Generation

To sign a message m do the following:

1. Select a random integer k with 1 ≤ k ≤ n − 12. Compute k ·G = (x1, y1) and r ≡ x1 mod n. If r = 0 go to

step 13. Compute k−1 mod n4. Compute e = HASH(m)

5. Compute s ≡ k−1(e + dr) mod n. If s = 0 go to step 16. The signature for the message m is (r , s)




ECDSA Signature Verification

To verify a signature (r , s) on m do the following:

1. Verify that r and s are integers in the interval [1,n − 1]

2. Compute e = HASH(m)

3. Compute w ≡ s−1 mod n4. Compute u1 ≡ ew mod n and u2 ≡ rw mod n5. Compute u1 ·G + u2 ·Q = (x1, y1) and v ≡ x1 mod n6. Accept signature if and only if v = r




ECDSA vs. RSA: Speed (ms)

Elliptic curve over F2233

RIM pager PalmPilot Pentium IIKey Generation 1,552 2,573 3.11ECDSA Signing 1,910 3,080 4.03ECDSA Verifying 3,701 5,878 7.87

2048-bit modulusRIM pager PalmPilot Pentium II

RSA Key Generation — — 26,442RSA Signing 111,956 288,236 440.69RSA Verifying (e = 3) 1,087 2,392 4.2RSA Verifying (e = 216 + 1) 3,608 7,973 13.45

More info: Brown et al.: PGP in Constrained Wireless Devices


elliptic curve cryptography an introduction

Documents