elliptic curve cryptography for those who are afraid of maths

Elliptic Curve Cryptographyfor those who are afraid of math(s)

Martijn Grooten, Virus Bulletin@martijn_grooten

BSides San Francisco, 29 February 2016

Disclaimer:

This talk will be useless.

Disclaimer:


I am not a cryptographer.

Disclaimer:


I am not a cryptographer.

Some things are wrong.

Elliptic curves

y2 = x3 + a·x + b

Elliptic curves

y2 = x3 + a·x + b

…and a prime number p.

Elliptic curves

y2 = x3 + a·x + b

…and a prime number p.

choice!

points

points≈numbers

P Q

P+Q

P Q

P+Q

“point addition”

P

P+P

P

2·P

P

“point doubling”2·P

P

2·P

P

2·P

2·P+P

P

2·P

3·P

P

2·P

3·P4·P

P

2·P

3·P4·P

5·P

P

2·P

3·P

“(integer) multiplication”6·P

4·P

5·P

So:We can “add” points to each other.


We can “multiply” points by an integer.


We can “multiply” points by an integer.P + Q = Q + P3·P + P = 2·P + 2·P = 4·P5·(7·P) = 7·(5·P)etc.


We can “multiply” points by an integer.P + Q = Q + P3·P + P = 2·P + 2·P = 4·P5·(7·P) = 7·(5·P)etc.

The points on a curve form an Abelian Group (very exciting!).

From P to 100·P in eight steps


To go from a point P to 100·P :


To go from a point P to 100·P :P → 2·P 2·P → 3·P 3·P → 6·P 6·P → 12·P

12·P → 24·P 24·P → 25·P 25·P → 50·P 50·P → 100·P

“Division” is very slow


Given points P and Q, where Q=n·P, the best way to find the number n is to try P, 2·P, 3·P, etc. That is very slow.


Given points P and Q, where Q=n·P, the best way to find the number n is to try P, 2·P, 3·P, etc. That is very slow.

The Discrete Logarithm Problem for elliptic curves.

ECDH (Elliptic Curve Diffie-Hellman)


The challenge: Alice and Bob want to “agree” on a secret key over a public channel.


The challenge: Alice and Bob want to “agree” on a secret key over a public channel.

For example: Alice is a web browser, Bob a web server and they want to exchange a key to encrypt a TLS session.

Alice and Bob have agreed (publicly!) on an elliptic curve and a point P on the curve.



Alice chooses secret large random number a.



Alice chooses secret large random number a.Bob chooses secret large random number b.


Alice computes a·P (a times the point P) and shares the answer with Bob.


Alice computes a·P (a times the point P) and shares the answer with Bob.Bob computes b·P and shares this too.



Alice computes a·(b·P) (a times the point Bob gave her).



Alice computes a·(b·P) (a times the point Bob gave her).Bob computes b·(a·P).



Alice computes a·(b·P) (a times the point Bob gave her).Bob computes b·(a·P). Secret key: a·(b·P) = b·(a·P)


Homework: find ECDH in Wireshark

Random number generators


True randomness


True randomness

output

Random number generators using ECC

Discrete Logarithm Problem:n → n·P

gives “random” points/numbers.




n0




n0 n1

n0·P




n0 n1 n2

n0·P n1·P




n0 n1 n2

n0·P n1·P n2·P




n0 n1 n2

n0·P n1·P n2·P

n1 n2




n0 n1 n2

n0·P n1·P n2·P

n1 n2

n1·P


Given: elliptic curve with two points P and Q.


n0


32-byte seed


n0 n1


n0·P

32-byte seed


n0 n1


n0·P

n1·Q32-byte seed

30 bytes


n0 n1 n2


n0·P n1·P

n1·Q32-byte seed

30 bytes


n0 n1 n2


n0·P n1·P

n1·Q n2·Q32-byte seed

30 bytes 30 bytes


n0 n1 n2


n0·P n1·P n2·P


30 bytes 30 bytes


n0 n1 n2


n0·P n1·P n2·P


30 bytes 30 bytes

Note: ideas from this slide and the next are borrowed from Bernstein, Heninger and Lange (NCSC ‘14).


Fact: P=d·Q for some (large) number d.


n0 n1 n2


n0·P n1·P n2·P


30 bytes 30 bytes


n0 n1 n2


n0·P n1·P n2·P


30 bytes 30 bytes

216 possibilities


n0 n1 n2


n0·P n1·P n2·P


30 bytes 30 bytes

216 possibilities r1


n0 n1 n2


n0·P n1·P n2·P


30 bytes 30 bytes


d·r1


n0 n1 n2


n0·P n1·P n2·P


30 bytes 30 bytes


d·r1

n2 = n1·P = n1(d·Q)


n0 n1 n2


n0·P n1·P n2·P


30 bytes 30 bytes


d·r1

n2 = n1·P = n1(d·Q)

= d·(n1·Q)


n0 n1 n2


n0·P n1·P n2·P


30 bytes 30 bytes


d·r1

n2 = n1·P = n1(d·Q)

= d·(n1·Q)

= d·r1

So who, if anyone, knows d?


“Dual_EC_DRBG”


“Dual_EC_DRBG”

NB: this RNG is bad for many otherreasons!

What happened at Juniper?


Juniper used Dual_EC_DRBG (in ScreenOS) but with different P, Q.



In theory that is OK, but…



In practice… Oops.

In theory that is OK, but…

Anything else up their sleeve?


The widely used curves (P-256 etc.) use “unexplained” constants. We can't exclude that they weren't chosen to create a backdoor.


The widely used curves (P-256 etc.) use “unexplained” constants. We can't exclude that they weren't chosen to create a backdoor.

There probably isn't such a backdoor, but we should aim for “nothing up my sleeve” constants (e.g. Curve25519).

Suggested reading

"A Riddle Wrapped in an Enigma"by Neal Koblitz and Alfred J. Menezes

http://eprint.iacr.org/2015/1018.pdf

ECC: a good idea?

Elliptic curve cryptography is a good idea because we can do with much smaller keys.

ECC: a good idea?


256-bit ECC ≈ 3072-bit RSA.

ECC: a good idea?


256-bit ECC ≈ 3072-bit RSA.

Elliptic curve crypto uses complicated maths. That is its biggest weakness.

Thank you!

@[email protected]

www.virusbulletin.com

PS “How Broken Is Our Crypto Really?” 3 March, 8:00am, room 2005 @ RSA.

elliptic curve cryptography for those who are afraid of maths

Technology