elliptic curves in cryptography
DESCRIPTION
Elliptic Curves in Cryptography. Ipsita Sahoo 10IT61B05 School of Information Technology IIT Kharagpur October 29, 2011 . Outline. Introduction Background of Public Key Cryptosystem Definition of Elliptic Curves Elliptic Curve on Finite Fields What is Elliptic Curve Cryptography? - PowerPoint PPT PresentationTRANSCRIPT
Ipsita Sahoo10IT61B05
School of Information TechnologyIIT Kharagpur
October 29, 2011
ELLIPTIC CURVES IN CRYPTOGRAPHY
OUTLINE Introduction
Background of Public Key Cryptosystem
Definition of Elliptic Curves
Elliptic Curve on Finite Fields
What is Elliptic Curve Cryptography?
Elliptic Curve Key Pairs
ECDH
ECDSA
Comparable key sizes
Advantages and Disadvantages of ECC
Applications
Summary
References
INTRODUCTION
The use of elliptic curves in cryptography was suggested by Neal Koblitz and Victor S. Miller in 1985.
The Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.
Security of Public-key Cryptography depends on the difficulty of solving the hard problems defined in complexity Theory.
For Elliptic curve based protocols, it is assumed that finding the discrete logarithm of an elliptic curve element is infeasible. The size of the elliptic curve determines the difficulty of the problem.
Over the past few years elliptic curve cryptography has been gaining popularity and being standardized around the world by agencies such as ANSI,IEEE and ISO.
BACKGROUND OF PUBLIC KEY CRYPTOSYSTEM
The cryptosystems based on following mathematical problems are considered secure and efficient:
Integer Factorization Problem(IFP)
Examples are RSA, Rabin-Williams
Discrete Logarithm Problem(DLP)
DSA, Diffie-Hellman and MQV key agreement scheme, the ElGamal encryption and signature scheme etc.
Elliptic Curve Discrete Logarithm Problem(ECDLP)
ECDSA, Elliptic Curve Diffie-Hellman & elliptic curve MQV key agreement schemes the ElGamal encryption and signature scheme etc.
Since 1985, ECC has received intense security from cryptographers, mathematicians, and computer scientists around the world. On the other hand, the fact that no significant weaknesses have been found so as a result high confidence in the security of ECC.
ECC has become more attractive rather than RSA and DSA.
DEFINITION OF ELLIPTIC CURVES
The General equation for an elliptic curve as all points on the curve is: y2+b1xy+b2y=x3+a1x2+a2x+a3
Elliptic curves over real number use a special case of elliptic curves of the form:
y2 = x3+ax+b
where the coefficients ‘a’ and ‘b’ are elements of the field and satisfies equation 4a3+27b2 ≠ 0, to represent nonsingular elliptic curve. Each value of ‘a’ and ‘b’ gives different elliptic curve.
An equation of this kind can be studied over various mathematical structures, such as a ring or a field.
An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with a rational point (which may be a point at infinity).
The field K is usually taken to be the complex numbers, reals, rationals, algebraic extensions of rationals, or a finite field.
One interesting property of set of solutions of elliptic curve is that it forms a group which enables us to do Cryptography. The public key is a point in curve and private key is a random number. The public key is obtained by multiplying the private key with the generator point G in the curve.
Elliptic curves groups for cryptography are examined with the underlying finite fields of GF(p) (where p>3 is a prime) and GF(2n) (a binary representation with 2n elements).
GRAPHICAL REPRESENTATION
Elliptic curve over
a real field with
a = -4 and b = 0
equation:
y2 = x3 - 4x
The equation is
non-singular with
three real roots.
POINT ADDITION
Point addition is the addition of two points P and Q on an elliptic curve to obtain another point R on the same elliptic curve.
Where,
and is the slop of the line and is given by following formula:
POINT DOUBLING
Point doubling is the addition of a point P on the elliptic curve to itself to obtain another point R on the same elliptic curve.
POINT MULTIPLICATION
In point multiplication a point P on the elliptic curve is multiplied with a scalar k using elliptic curve equation to obtained another point Q on the same elliptic curve.
i.e. Q = kP
Point multiplication is achieved by adding the point P to itself k times.
Point multiplication is also achieved by two basic elliptic curve operations
1. Point addition
2. point doubling
For example if k= 11 then kP=11.P=2(2(2P)+P)+P
THE ABELIAN GROUP
An abelian group using points on elliptic curve E can be defined with two points P, Q in E and the third point denoted by R (R=P+Q) on E, then following relations hold for all P, Q, R in E:
Closure: R = P+Q and R = P+P
Associativity: (P+Q)+R = P+(Q+R)
Commutativity: P+Q = Q+P
Existence of an identity element: P+O = O+P = P
Existence of inverses: there exists (-P) such that, -P+P = P+(-P) = O
ELLIPTIC CURVE ON FINITE FIELD
To make operations on elliptic curve accurate and more efficient, the elliptic curve cryptography is defined over two finite fields.
Prime field GF(p)
Binary field GF(2n)
The field is chosen with finitely large number of points suited for cryptographic operations.
ELLIPTIC CURVE OVER GF(p)
Let GF(p) be a finite field, p > 3, and let a, b GF(p) are constant such that
4a3 + 27b2 (mod p) ≠ 0 (mod p). An elliptic curve, Ep(a,b), is defined as the set of points
(x,y) GF(p) which satisfy the equation
y2 x3 + ax + b (mod p)
Here the elements of the finite field are integers between 0 and p-1. All the operations such as addition, subtraction, division, multiplication involves integers between 0 and p-1.
This finite group with a special point, O, called the point at infinity or Zero point.
The prime number p is chosen such that there is finitely large number of points on the elliptic curve to make the cryptosystem secure. Standards for Efficient Cryptography (SEC) specifies curves with p ranging between 112-512 bits.
ALGEBRAIC RULES FOR PRIME FIELDS GF(p)
P and Q be two points on Ep(a,b) and O is the point at infinity.
If P = (x1,y1) then -P = (x1 ,-y1)
and P + (-P) = O. Here -y1 is the additive inverse of y1.
If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.
then P +Q = (x3 ,y3) where
x3 = 2 - x1 - x2
y3 = (x1 - x3) - y1
and = (y2-y1)/(x2-x1) if P ≠ Q
= (3x12+a)/ 2y1 if P = Q
ELLIPTIC CURVE OVER GF(2n) FOR SOME n 1
Elliptic curve Ep(a,b) is defined to be
the set of points (x,y) GF(2n) which satisfy the equation
y2 + xy = x3 + ax2 + b
where x, y GF(2n) and b≠0,
together with the point on the curve at infinity, O. The points on an elliptic curve form an abelian
group under a well defined group operation. The identity of the group operation is the point O.
ALGEBRAIC RULES FOR BINARY FIELD GF(2n)
The rules for adding points in GF(2n) is slightly different from the rules for GF(p).
In finding inverse If P=(x, y), then –P=(x, x + y)
If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.
then P +Q = (x3 ,y3),
where x3 = 2+ +x1+x2+a
y3 = (x1 + x3) + x3 + y1
and = (y1+y2)/(x1+x2) if P ≠ Q
If Q=P, then R=P+P (or R=2P) can be found as
x3 = 2 + + a y3 = x12 + (+1) x3
and = (x1 y1 + x1)/ y1 if P = Q
WHAT IS ELLIPTIC CURVE CRYPTOGRAPHY (ECC)?
Elliptic curve cryptography (ECC])is a public-key cryptosystem just like RSA, Rabin, and ElGamal.
Every user has a public and a private key.
Public key is used for encryption/signature verification.
Private key is used for decryption/signature generation.
Elliptic curves are used as an extension to other current cryptosystems.
Elliptic Curve Diffie-Hellman Key Exchange
Elliptic Curve Digital Signature Algorithm
ELLIPTIC CURVE CRYPTOSYSTEM
Majority of public key cryptosystems (RSA,DH) use either integer or polynomial arithmetic with very large numbers/polynomials.
Imposes a significant load in storing and processing keys and messages.
The security of ECC depends on the difficulty of Elliptic Curve Discrete Logarithm problem. Let P and Q be two points on an elliptic curve such that kp=Q, where k is scalar. Given P and Q , it is computationally infeasible to obtain k, if k is sufficiently large. K is the discrete logarithm of Q to the base P.
All operations are performed over a Galois Field. So, results of kP seem rather “random”
ECC DOMAIN PARAMETERS ECC domain parameters[1] over GF(p), are a sextuple :
T = (p, a, b, G, n, h) p is the prime number defined for finite field GF(p).
a and b GF(p) defining the curve
y2 x3 + ax + b (mod p) for p > 3
y2 + xy = x3 + ax2 + b for 2n where n 1
G is the generator point or base point (xG,yG) on Ep(a,b)
n a prime which is the order of G
(The order of a point P on an elliptic curve is the smallest positive integer r such that rP = O.)
An integer h which is the cofactor h = # Ep(a,b) /n. where # Ep(a,b) represents number of points on elliptic curve and is called the curve order.
ELLIPTIC CURVE KEY PAIR GENERATION
An elliptic curve key pair(d, Q) associated with T consists of an elliptic curve secret key d , and an elliptic curve public key Q= (xQ, yQ) .
Elliptic curve key pairs should be generated [2] as follows:
Input: Valid elliptic curve domain parameters T= ( p, a, b, G, n, h)
Output: An elliptic curve key pair(d, Q) associated with T .
Actions: Generate an elliptic curve key pair as follows:
1. Randomly select an integer d in the interval[1,n 1].
2. Calculate Q= dG.
3. Output(d, Q).
ELLIPTIC CURVE PUBLIC KEY VALIDATION
Input: Valid elliptic curve domain parameters T= ( p, a, b, G, n, h) and an elliptic curve public key Q= (xQ, yQ) associated with T .
Output: An indication of whether the elliptic curve public key is valid or not — either ‘valid’ or ‘invalid’.
Actions: Validate[2] the elliptic curve public key as follows:1. Check that Q ≠ O.2. If T represents elliptic curve domain parameters over GF(p), check that xQ and yQ are integers in the range[1, p-1], and that:
yQ2 xQ
3 + axQ + b (mod p)3. Check that nQ= O.4. If any of the checks fail, output ‘invalid’, otherwise output ‘valid’.
ECDH – ELLIPTIC CURVE DIFFIE HELLMAN
ECDH is a key agreement protocol that allows two parties to establish a shared secret key that can be used as a private key for encryption algorithms.
Both parties exchange some public information to each other, Using this public data and their own private data these parties calculates the shared secret key. Any third party, who doesn’t have access to the private details of each device, will not able to calculate the shared secret from the available public information.
For generating a shared secret between A and B using ECDH, both have to agree up on Elliptic Curve domain parameters.
ECDH CONTD… Both end have a key pair consisting of a private key d (a randomly
selected integer less than n) and a public key Q = d * G (G is the generator point).
Let (dA, QA) be the private and public key pair of A and (dB, QB) be the private and public key pair of B
The end A computers K = (xK, yK) = dA * QB
The end B computes L = (xL, yL) = dB * QA
Since dAQB = dA dB G = dBQA , therefore K = L and hence xK = xL
Hence the shared secret is xK
It is practically impossible to find the private key dA or dB form the public key K or L, its not possible to obtain the shared secret for a third party.
ECDSA - ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM
Used for authenticating a device or message sent by the device
Signature Generation:
To sign a message m, an entity A with domain parameters (p, Ep(a,b), G, n) and associated key pair (x, Q) does the following:
1. Select an integer k such that 1 ≤ k ≤ n-1
2. Compute kQ = (x1, y1)
3. Compute r = x1 (mod n). If r = 0 then go to step 1
4. Compute k-1 (mod n)
5. Compute SHA-1(m) and convert this string to an integer H(m)
6. Compute s = k-1 (H(m )+ xr ) (mod n). If s = 0, then go to step 1
7. A’s signature for the message m is (r, s)
ECDSA CONTD… Signature Verification:
To verify A’s signature (r, s) on m, B obtains an authentic copy of A’s domain parameter (p, Ep(a,b), G, n) and associated public key Q. B then does the following:
1. Verify that r and s are integers in the interval [1, n-1]
2. Compute SHA-1(m) and convert this string to an integer H(m)
3. Compute w = s (mod n)
4. Compute u = H(m) w (mod n) and u = rw (mod n)
5. Compute X = (x2, y2) = u1G + u2Q
6. If X = O, then reject the signature. Otherwise, compute v = x (mod n)
7. Accept the signature if and only if v = r
COMPARABLE KEY SIZES (BASED ON RUNNING TIME)
ECC, DSA and RSA key length comparisons[5] done by Lopez and Dahab in May 2000.
RSA VS ECC
Figure from [3]
ADVANTAGES OF ECC
Alternative hard problem
Speed
Data size
New types of schemes
Many options
DISADVANTAGES OF ECC
Alternative hard problem
Curve generation
Many options
APPLICATIONS OF ECC
Wireless communication devices
Smart cards
Web servers that need to handle many encryption sessions
Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems
SUMMARY OF ELLIPTIC CURVES IN CRYPTOGRAPHY
ECC offers an attractive alternative to other public-key cryptosystems
new hard problem (analogous to discrete log)
Q=kP, where Q,P belong to a prime curve
given k,P “easy” to compute Q
given Q,P “hard” to find k , known as the elliptic curve logarithm problem (k must be large enough)
ECC security relies on elliptic curve logarithm problem
smaller key size compare with RSA etc.
for similar security ECC offers significant computational advantages
REFERENCES
[1] http://www.secg.org/collateral/sec2_final.pdf
[2] http://www.secg.org/collateral/sec1_final.pdf
[3] “The Basics of ECC”, http://www.certicom.com
[4] http://mathworld.wolfram.com/EllipticCurve.html
[5] An Overview of Elliptic Curve Cryptography by Julio Lopez and Richard Dahab May 2000. http://citeseer.ist.psu.edu/lop00overview.html
[6] http://www.dkrypt.com/home/ecc
[7] Cryptography and Network Security principles and practices by William Stallings 4th edition, Prentice-Hall of India
THANK YOU