Top Banner
Brandenburg Technical University of Cottbus Computer Networking Group A Tutorial on Elliptic Curve Cryptography A Tutorial on Elliptic Curve Cryptography (ECC) Fuwen Liu [email protected]
58

A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Mar 15, 2020

Download

Documents

dariahiddleston
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Brandenburg Technical University of Cottbus

Computer Networking Group

A Tutorial on Elliptic Curve Cryptography

A Tutorial on Elliptic Curve Cryptography (ECC)

Fuwen Liu

[email protected]

Page 2: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 2

I. Introduction

II. Elliptic Curves over Real Number

III. Elliptic Curves over Prime Field and Binary Field

IV. Security Strength of ECC System

V. ECC Protocols

VI. Patents and Standards

VII. Final Remarks

Contents

Page 3: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 3

I.Introduction

Page 4: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 4

Basic concept

� Cryptography is a mathematical based technology to ensure the information security over a public channel. There are two objec tives:� Privacy: No information is accessible to unauthorized parties

� Authentication: Information is not alerted in transition and the communication parties are legitimate.

� Cryptography systems can be distinguished in two ca tegories[1]:� Unconditionally secure system: It resist any cryptanalytic attack no matter

how much computation is used.� One-time pad system is a typical example

� Require the length of the key stream equivalent to that of plaintext� Rarely deployed in practice

� Conditionally secure system: It is computationally infeasible to be broken, but would succumb to an attack with unlimited computation.� Basically modern cryptographic systems are constructed on the basis of the

conditionally secure principle.

Page 5: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 5

Motivation� Public key cryptographic algorithms (asymmetric key algorithms) play an

important role in providing security services:� Key management

� User authentication

� Signature� Certificate

� Public key cryptography systems are constructed by relying on the hardness of mathematical problems� RSA: based on the integer factorization problem� DH: based on the discrete logarithm problem

� The main problem of conventional public key cryptog raphy systems is that the key size has to be sufficient large in order to meet the high-level security requirement.� This results in lower speed and consumption of more bandwidth � Solution: Elliptic Curve Cryptography system Elliptic Curve Cryptography system

Page 6: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 6

History of ECC

� In 1985, Neal Koblitz [2] and Victor Miller [3] ind ependently proposed using elliptic curves to design public key cryptographic systems.

� In the late 1990`s, ECC was standardized by a numbe r of organizations and it started receiving commercial acceptance.

� Nowadays, it is mainly used in the resource constr ained environments, such as ad-hoc wireless networks and mobile network s.

� There is a tend that conventional public key crypto graphic systems are gradually replaced with ECC systems. � As computational power evolves, the key size of the conventional systems is

required to be increased dramatically.

Page 7: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 7

II.Elliptic Curves over Real Numbers

Page 8: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 8

Overview

� Elliptic curves have been studied by mathematicians for over a hundred years. They have been deployed in diverse areas� Number theory: proving Fermat`s Last Theorem in 1995 [4]

� The equation has no nonzero integer solutions for x,y,z when the integer n is grater than 2.

� Modern physics: String theory� The notion of a point-like particle is replaced by a curve-like string.

� Elliptic Curve Cryptography � An efficient public key cryptographic system.

nnn zyx =+

Page 9: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 9

Definition

� An elliptic curve E over R (real numbers) is defined by a Weierstrassequation

where a1, a2, a3, a4,a5 ∈K and∆‡0. ∆ is the discriminant of E and is defined as follows:

� Points: If both the coordinates of the point P∈∈∈∈E or P=∞∞∞∞ (the point at infinity, or zero element ����). The set of points on E is:

642

23

312: axaxaxyaxyayE +++=++

24

232431626

218

6236

3144

2212

64226

348

22

4

4

2

4

9278

aaaaaaaaaad

aad

aaad

aad

ddddddd

−+−+=

+=

+=+=

+−−−=∆

}{}0:),{()( 642

23

312 ο∪=−−−−++×∈= axaxaxyaxyayRRyxLE

Page 10: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 10

Simplified Weierstrass Equations

� The Weierstrass equations can be simplified by perfo rming the following change of variables:

and set

we get one of the simplified Weierstrass equations:

� By performing the following change of variables:

We get another important simplified Weiertstrass equ ations:

)2

,3

(),( 312 axay

axyx

+−−→

642324

22

31

3/127/2,9/1

0,0

aaaabaaa

aa

−=+=

==

baxxy ++= 32

baxxxyy ++=+ 232

),(),(31

234

213

11

321 a

aaaya

a

axayx

+++→

Page 11: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 11

Example Curves of baxxy ++= 32

Page 12: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 12

Addition law

� Addition law of elliptic curve E has the following properties:

� Identity: P+�=�+P=P ∀ P∈ E

� Inverse: P+(-P)=� ∀ P∈ E

� Associative: P+(R+Q)=(P+R)+Q ∀ P,Q,R∈ E

� Commutative: P+Q=Q+R ∀ P, Q∈ E

� The addition law makes the points of E into an abelian group.

Page 13: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 13

Point addition

� Geometry approach:� To add two distinct points P and Q on an elliptic curve, draw a straight line

between them. The line will intersect the elliptic cure at exactly one more point –R. The reflection of the point –R with respect to x-axis gives the point R, which is the results of addition of points R and Q

-R

Page 14: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 14

Point doubling

� Geometry approach: � To the point P on elliptic curve, draw the tangent line to the elliptic curve at P.

The line intersects the elliptic cure at the point –R. The reflection of the point –R with respect to x-axis gives the point R, which is the results of doubling of point P.

P

-R

R=2P

Page 15: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 15

Algebraic Formulae of Point Addition

� For the curve E: . Let P=(xP,yP) and Q=(xQ,yQ) ∈∈∈∈ E with P≠≠≠≠Q, then R=P+Q=(xR,yR) is determined by the following formulae:

� In the same way, for the curve E: . R=P+Q=(xR,yR) can be determined by the following formulae:

baxxy ++= 32

pQ

PQ

PRpR

QPR

xx

yywhere

yxxy

xxx

−−

=

−−=

−−=

λ

λλ

:

)(

2

baxxxyy ++=+ 232

pQ

PQ

PRRpR

QPR

xx

yywhere

yxxxy

axxx

++

=

+++=

++++=

λ

λλλ

:

)(

2

Page 16: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 16

Algebraic Formulae of Point Doubling

� For the curve E: . Let P=(xP,yP) ∈∈∈∈ E with P≠≠≠≠-P, then R=2P=(xR,yR) is determined by the following formulae:

� In the same way, for the curve E: . R=2P=(xR,yR) can be determined by the following formulae:

baxxy ++= 32

p

P

PRpR

PR

y

axwhere

yxxy

xx

2

3:

)(

2

2

2

+=

−−=−=

λ

λλ

baxxxyy ++=+ 232

PPP

RRPR

R

xyxwhere

xxxy

ax

/:

2

2

+=++=

++=

λλλλ

Page 17: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 17

Example of Point Addition

� Point addition in the curve xxy 732 −=

(From www.certicom.com)

1982.135.21.0

86.1836.0:

62.586.1)89.335.2(1982.1)(

89.31.035.21982.1 22

=+−+=

−−

=

−=+−−=−−=

=++=−−=

pQ

PQ

PRpR

QPR

xx

yywhere

yxxy

xxx

λ

λλ

Page 18: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 18

Example of Point Doubling

� Point doubling in the curve 5332 +−= xxy

(From www.certicom.com)

698.165.22

)3(23

2

3:

64.265.2)11.12(698.1)(

11.122698.12

22

22

=∗

−+∗=+=

=−+=−−=−=∗−=−=

p

P

PRpR

PR

y

axwhere

yxxy

xx

λ

λλ

Page 19: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 19

III.Elliptic Curves over Prime Field and Binary

Field

Page 20: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 20

Motivation

� Elliptic curves over real numbers � Calculations prove to be slow

� Inaccurate due to rounding error

� Infinite field

� Cryptographic schemes need fast and accurate arithm etic

� In the cryptographic schemes, elliptic curves over two finite fields are mostly used.

Prime field Fp , where p is a prime.Binary field F2m, where m is a positive integer.

Page 21: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 21

EC over FFFFp

� The equation of the elliptic curve over Fp is defined as:

� The points on E are denoted as:E(Fp )={(x,y):x,y∈Fp satisfy y2=x3+ax+b}∪{�}

� Example: Elliptic curve over t hePrime field F23. The points in the curve are the

Following :

][ 1,0,,,

0mod)274(:

mod)(mod23

32

−∈≠+

++=

pbayx

pbawhere

pbaxxpy

xxy += 32

(From www.certicom.com)

(0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5)

(13,18) (15,3) (15,20) (16,8) (16,15) (17,10) (17,13) (18,10)

(18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17)

Page 22: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 22

Point Addition and Doubling for EC over FFFFp

� Point addition:

� Point doubling:

pxx

yywhere

pyxxy

pxxx

pQ

PQ

PRpR

QPR

mod:

mod))((

mod)( 2

−−

=

−−=

−−=

λ

λλ

py

axwhere

pyxxy

pxx

p

P

PRpR

PR

mod2

3:

mod))((

mod)2(

2

2

+=

−−=−=

λ

λλ

Page 23: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 23

Example for point addition and doubling� Let P=(1,5) and Q=(9,18) in the curve over thePrime field F23. Then the point R(x R,yR) can be calculated as

So the R=P+Q=(16,8)The doubling point of P can be computed as:

So the R=2P=(0,0)

Point addition and doubling need to perform modular arithmetic (addition, subtraction, multiplication, inversion)

xxy += 32

823mod1523mod24523mod)5)161(16(

1623mod24623mod)9116(

1623mod31323mod8

123mod1323mod

8

1323mod

19

518

2

=−=−=−−===−−=

=×=×==−−=

R

R

y

x

λ

023mod023mod)5)01(5(

023mod2323mod)115(

523mod14223mod5

123mod223mod

5

223mod

52

113

2

2

==−−===−−=

=×=×==×

+×=

R

R

y

x

λ

Page 24: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 24

EC over FFFF2m

� A elliptic curve E over the finite field F2m is given through the following equation.

Where x, y, a, b ∈ F2m

� The points on E are denoted as:E(F2

m)={(x,y):x,y∈F2m satisfy y2+xy=x3+ax2+b}∪{O}

baxxxyy ++=+ 232

Page 25: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 25

Example Elliptic Curve over FFFF2m

� Assume the finite field F24 has irreducible polynomial f(x)=x4+x+1. The

element g = (0010) is a generator for the field . T he powers of g are:

� Consider the elliptic curve y2 + xy = x 3 + g4x2 + 1. The points on E are:

g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) g4 = (0011) g5 = (0110)

g6 = (1100) g7 = (1011) g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110)

g12 = (1111) g13 = (1101) g14 = (1001) g15 = (0001)

(1, g13) (g3, g13) (g5, g11) (g6, g14) (g9, g13) (g10, g8) (g12, g12)

(1, g6) (g3, g8) (g5, g3) (g6, g8) (g9, g10) (g10, g) (g12, 0) (0, 1)

(From www.certicom.com)

Page 26: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 26

Point Addition and Doubling over FFFF2m

� Let P=(xP, yP), Q=(xQ,yQ) on the curve Then R=P+Q can be computed:

� Let P=(xP, yP) on the curve curveThen R=2P can be computed:

Note that all calculations are performed using the rules of arithmetic in F2m

pQ

PQ

PRRpR

QPR

xx

yywhere

yxxxy

axxx

++

=

+++=

++++=

λ

λλλ

:

)(

2

baxxxyy ++=+ 232

baxxxyy ++=+ 232

PPP

RRPR

R

xyxwhere

xxxy

ax

/:

2

2

+=++=

++=

λλλλ

Page 27: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 27

An Example of Point Addition and Doubling over FFFF2m

� Let P=(g5, g3), Q=(g9,g13) on the curve Then R(xR, yR)=P+Q can be computed:

� Let P=(xP, yP) on the curve curveThen R=2P can be computed:

Point addition and doubling need to perform the pol ynomial arithmetic ( addition, subtraction, multiplication, and division )

1333352

34952222

26

8

95

133

)()(

)(

ggggggyxxxy

ggggggaxxx

gg

g

gg

gg

xx

yy

PRRpR

QPR

pQ

PQ

=+++=+++=

=++++=++++=

==++=

++

=

λ

λλ

λ

12432 ++=+ xgxxyy

baxxxyy ++=+ 32

137252

47272

7135535

1)(

1)(

//

gggxxxy

gggax

ggggggxyx

RRPR

R

PPP

=++=++=

=++=++=

=+=+=+=

λλλ

λ

Page 28: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 28

Point Representation

� The normal ( x, y ) pairs are denoted as affine coordinates. It has disadvantages in performing point addition and doub ling. � Expensive inverse operations are involved.

� The normal (x, y) pairs can be represented by the t riplet ( X, Y, Z), which is called the projective coordinates. The relationship between ( x, y ) and (X, Y,Z) is:

� There are a number of types of coordinates when c, d are set different values, such as standard[5], Jacobian[5], Lopez-Dah ab[6].

� The use of projective coordinates can avoid the exp ensive inverse operations. But it requires more multiplications in the field operation. If the ratio of Inverse/Multiplication is big, the res ulting computation cost of point addition is less than that using affine coord inates.

0:

)/,/(),(

),,(),,(

≠=

=

λ

λλλ

where

ZYZXyx

yxZYXdc

dc

Page 29: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 29

Usage of Elliptic Curves

� An elliptic curve over Fp is defined as prime curve. An elliptic curve over F2m is defined as binary curve.

� As pointed out in [7], prime curves are best for softw are applications.� They do not need the extended bit-fiddling operations required by binary

curves.

� As shown in [7], binary curves are best for hardware ap plications.� They can takes less logic gates to create a cryptosystem compared to prime

curves.

Page 30: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 30

Elliptic Curve Cryptography (ECC)

� Elliptic curves are used to construct the public ke y cryptography system

� The private key d is randomly selected from [1, n-1], where n is integer. Then the public key Q is computed by dP, where P,Q are points on the elliptic curve.

� Like the conventional cryptosystems, once the key p air (d, Q) is generated, a variety of cryptosystems such as signa ture, encryption/decryption, key management system can be set up.

� Computing dP is denoted as scalar multiplication. It is not only used for the computation of the public key but also for the signature, encryption, and key agreement in the ECC system.

Page 31: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 31

Scalar Multiplication

� Intuitive approach:dP= P+P+…+P

It requires d-1 times point addition over the elliptic curve .

Observation: To compute 17 P, we could start with 2 P, double that, and that two more times, finally add P, i.e. 17P=2(2(2(2P)))+P. This needs only 4 point doublings and one point addition instead of 16 point additions in the intuitive approach. This is called Double-and-A dd algorithm.

d times

Page 32: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 32

Double-and-Add algorithm

� Let d=(d t-1, d t-2,…d0) be the binary representation of d, then

� Double-and-Add algorithm:Input: d=(dt-1, dt-2,…d0) , P∊E.

1. Q←O

2. For i from 0 to t-1 do

2.1 If di=1 then Q←Q+P

2.2 P←2P

Output: dP=Q

PdPdPdPddP

dd

tt

it

ii

it

ii

011

1

1

0

1

0

)2(...)2()2(

2

+++==

=

−−

=

=

PdPdPdPd tt 0121 )...)))2(2(...2(2 ++++= −−

Page 33: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 33

IV.Security Strength of ECC System

Page 34: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Complexity of an Algorithm

� Definition: Let A be an algorithm whose input has bi t-length n� A is a polynomial-time algorithm if its running time is O(nc) for some constant

c>0, such as n10

� A is a subexponential-time algorithm if its running time is O(eo(n)), such as en1/3.

� A is an exponential-time algorithm if its running time is O(cn) or O(nf(n)) for c>1, such as 1.1n and nn2

.

Page 35: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Security of Public Key Cryptosystems

� A Public key cryptosystem is constructed on the basis of hardness of some mathematic problems.� RSA depends on the intractability of factoring problem� DH protocol relies on the hardness of discrete logarithm

� ECC is secure due to the elliptic curve discrete logarithm problem (ECDLP).

� A public key cryptosystem consist of a private key t hat is kept secret, and a public key which is accessible to the public.

� The straightforward way to break the public key crypto system is to draw the private key from the public key. But the required computation cost is equivalent to solving these dif ficult mathematic problems.

Page 36: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

RSA

� RSA key pair generation.� Randomly select two large primes p and q, and p≠q� Compute n=pq and ø=(p-1)(q-1)

� Select an arbitrary integer e with 1<e<ø and gcd (e,ø)=1.

� Compute the integer d satisfying 1<d<ø and ed≡1 (mod ø)The public key is ( n,e), the private key is d.

� Observation: If we can derive the primes p and q from n, ø=(p-1)(q-1) can be computed. The enables the determination of the private key d≡≡≡≡e-1 (mod ø).

� Multiplying two prime integers together is easy, but f actoring the product of two prime numbers is much more difficult .

Page 37: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Factoring problem

� Definition� Given a positive integer n, find its two prime factorization p and q.

� The best published solution to the factoring problem is the general number field sieve (GNFS) algorithm, which, for a number n, its running time is :

� GNFS is a subexponential time algorithm.

)(]923.1,3/1[3/23/1 )log(log)(log923.1 nn

n eOL =

Page 38: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Deffie-Hellman

� DH key pair generation� G is finite group with generator g, p is a prime and q is a prime divisor of

p-1.

� Randomly select x from [1, q-1]

� Compute y=gx (mod p)The public key is y, and private key is x.

� Observation: x=log g y(mod p), x is called the discrete logarithm of y to the base g.

� Given g,x, and p, it is trivial to calculate y. However, given y, g , and p it is difficult to calculate x.

Page 39: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Discrete Logarithm Problem

� Definition � Given a prime p, generator g, and an element y in group G, find the

integer x, such that y=gx (mod p).

� The fastest algorithm known for solving discrete logari thm problem is still GNFS which has a subexponential runnin g time.

Page 40: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

ECC

� Key pair generation � Randomly select d∈ [1, n-1].

� Compute Q=dP, P, Q is a point on the curve

Public key is Q, private key is d

� The naive algorithm to draw the d from Q is the computation of a sequence of points P, 2P, 3P, 4P, until Q=dP.

� Hasse Theorem: the number of points of E(FFFFq) is denoted by # E(FFFFq) , which is determined by

� Usually q is a large prime number whose length is greater tha n 160 bit. So # E(FFFFq) is also a big number. Thus it is computationally infeasible tosolve d from Q by using the naive algorithm.

qtwhere

tqFE q

2

1)(#

−+=

Page 41: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Elliptic Curve Discrete Logarithm Problem (ECDLP)

� Definition � Given an elliptic curve E defined over a finite field Fq, a point

P∈E(Fq ) of order n, and a point Q ∈E, find the integer d ∈ [0,n-1] such that Q=dP.

� The fastest algorithm to solve ECDLP is Pollard’s rho algorithm, its running time is

� Pollard’s rho algorithm is an exponential-time algorithm

2

Page 42: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Symmetric algorithm(bit)

RSA and DH (bit)

ECC (bit)

56 512 112

80 1024 160

112 2048 224

128 3072 256

192 7680 384

256 15360 521

Key Size Comparsion

NIST recommended key sizes

� The reason is that there exist subexponential-time al gorithms for factoring and discrete logarithm problem, whilst onl y exponential-time algorithms for ECDLP.

Page 43: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Selecting an Appropriate Elliptic Curve

� Conditions to be satisfied:

� #E(Fq) should be divisible by a sufficiently large prime, in order to resist against the Pollard ρ-attack.

� #E(Fq) should not to be equal to q, to avoid the Semaev-Smart-Satoh-Araki attack.

� To resist the MOV reduction attack, n should not divide qk-1 for all 1≤k≤30.

Page 44: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 44

V.Elliptic Curve Protocols

Page 45: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Elliptic Curve Digital Signature Algorithm (ECDSA)

A Tutorial on Elliptic Curve Cryptography 45

Alice Bob

Private key dA, Public key QA=dAP.

Signature generation1.Select a random k from [1, n-1]2.Compute kP=(x1,y1) and r=x1mod n. if r=0 goto step 13.Compute e=H(m), where H is a hash functon, m is the message.4.Compute s=k-1(e+dAr) mod n. If s=0 go to step 1.

(r, s) is Alice’s signature of message m

Signature verification1.Verify that r, s are in the interval [1, n-1]2.Compute e=H(m), where H is a hash functon, m is the message.3.Compute w=s-1 mod n4.Compute u1=ew mod n and u2=rwmod n.5.Compute X=u1P+u2QA=(x1,y1)6.Compute v=x1 mod n7.Accept the signature if and only if v=r

m, r ,s

Page 46: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Proof the correctness of ECDSA

A Tutorial on Elliptic Curve Cryptography 46

� Proof � If a signature (r,s) on a message m was authentic, then

s=k-1(e+dAr) mod n. It can be rewritten as:

k≡s-1(e+dAr) ≡s-1e+s-1rdA≡we+wrdA≡u1+u2dA (mod n)

Thus X=u1P+u2QA=(u1+u2dA)P=kP. So v=r is required.

Page 47: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Elliptic Curve Deffie-Hellmen (ECDH)

A Tutorial on Elliptic Curve Cryptography 47

Alice Bob

Ephemeral key pair generationSelect a private key nA∈ [1, n-1]Calculate public key QA=nAP

Ephemeral key pair generationSelect a private key nB∈ [1, n-1]Calculate public key QB=nBP

QA

QB

Shared key computationK= nAQB

Shared key computationK= nBQA

� Consistency: K=nAQB=nAnBP=nBQA

� ECDH is vulnerable to the man-in-the-middle attack

Page 48: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

An Example of ECDH

� Alice and Bob make a key agreement over the following prime, curve, and point.p=3851, E:y2=X3+324x+1287, P=(920,303)∈E(F3851)

� Alice chooses the private key nA=1194, computes QA=1194P=(2067,2178)∈E(F3851), and sends it to Bob.

� Bob chooses the private key nB=1759 computes QA=1759P=(3684,3125)∈E(F3851), and sends it to Alice.

� Alice computes nAQB=1194(3684,3125)=(3347,1242)∈ E(F3851)

Bob computes nBQA=1759(2067,2178)=(3347,1242) ∈ E(F3851)

Page 49: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Authenticated Key Agreement Protocol ECMQV

A Tutorial on Elliptic Curve Cryptography 49

Alice (QA,dA) Bob (QB,dB)

1. IDA, RA

2. IDB, RB,tB=MACk1(2,IDB,IDA, RB,RA)

3. tA=MACk1(3,IDA,IDB, RA,RB)

1.Select a random kA from [1,n-1], compute ephemeral public key RA=kAP, sends IDA, RA to Bob

3. Receiving message 2, Alice does the following3.1 ComputesA=(kA+RAdA) mod n and Z=hsA(RB+RBQB )3.2 (k1, k2)←KDF(xZ )3.3 Computet=MACk1(2,IDB,IDA, RB,RA) andverify that t=tB3.4 Compute tA=MACk1(3,IDA,IDB, RA,RB) 3.5 Send tA to Bob

2. Receiving message 1, Bob does the following2.1 Generate the ephemeral public key RB=kBP2.2 ComputesB=(kB+RBdB) mod n and Z=hsB(RA+RAQA), whereRB,RA is the integer representation of the x-coordinate of RB, RA, h is one of EC domain parameters.2.3 (k1, k2)←KDF(xZ), wherexZ is the x-coordinate of Z, KDF is a key derivation function2.4 Compute tB=MACk1(2,IDB,IDA, RB,RA)2.5 Send IDB, RB, tB to Alice.

4. Receiving message 3, Bob computes t= MACk1(3,IDA,IDB, RA,RB) and verify that t=tA

Z is the shared secret

Page 50: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Explanation of ECMQV

A Tutorial on Elliptic Curve Cryptography 50

� Resist against the man-in-the-middle attack� The quantity sA=(kA+RAdA) mod n serves as an implicit signature for

Alice. It is a signature in the sense that only person who knowsAlice’s private key dA can produce sA. Bob indirectly verifies its validity by using sAP=RA+RAQA

� In the same way, the quantity sB=(kB+RBdB) mod n serves as an implicit signature for Bob.

� The shared secret between Alice and Bob is Z� Bob computes Z=hsB(RA+RAQA)=hsBsAP

� Alice computes Z=hsA(RB+RBQB )=hsAsBP

� The function of MAC is to ensure that the messages exchanged between Alice and Bob are authentic.

Page 51: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 51

VI.Patents and Standards

Page 52: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

ECC System Structure

Page 53: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Patents

� The general idea of ECC was not patented [8], but th ere are a number of patents regarding the efficient implementat ion from the underlying layer (finite field arithmetic ) to the hig hest layer(protocols)

� The patent issue for elliptic curve cryptosystems is t he opposite of that for RSA and Diffie-Hellman, where the cryptosyst ems themselves have patents, but efficient implementati on techniquesoften do not [8].

� Certicom holds more than 130 patents related to ECC. It has sold 26 patents to NSA and NISA in the value of 26 million US$, which covers the prime field curves with primes of 256 bits, 384 bit s and 521 bits.

� Certicom was taken over by the RIM( Research in Moti on) with the offer of 130 million C$ in 2009.

Page 54: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen Liu

Standards

TitelStandard

Recommendation on key establishment schemesNIST SP 800-56

Information technology — Security techniques— Cryptographic techniques based on elliptic curves

ISO 15946

Standard Specifications For Public-Key CryptographyIEEE P1363

Public Key Cryptography for the Financial Services Industry, Key Agreement and Key Transport Using Elliptic Curve Cryptography

ANSI X9.63

Page 55: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 55

VII.Final Remarks

Page 56: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 56

Final Remarks� The mathematic background of ECC is more complex than other

cryptographic systems� Geometry, abstract algebra, number theory

� ECC provides greater security and more efficient performan ce than the first generation public key techniques (RSA and D iffie-Hellman)� Mobile systems

� Systems required high security level ( such as 256 bit AES)

� The next step is to apply the ECDH principle to the group key management protocol.

� Unless the explicit statement of sources, the materi als used in this tutorial are from Hankerson’s book[9] and www.certicom.co m.

Page 57: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuA Tutorial on Elliptic Curve Cryptography 57

Page 58: A tutorial of elliptic curve cryptography - 123seminarsonly.com · 2013-01-01 · A Tutorial on Elliptic Curve Cryptography 6 Fuwen Liu History of ECC In 1985, Neal Koblitz [2] and

Fuwen LiuKey Management for Dynamic Peer Group 58

Reference

(1) W. Diffie and M. Hellman: New Directions in Cryptography. IEEE Transactions on Information Theory, 22:644-654,1976.

(2) N. Koblitz. Elliptic curve cryptosystems. Mathematics of Computation, 48:203–209,1987.

(3) V. Miller. Use of elliptic curves in cryptography. Advances in Cryptology—CRYPTO ’85 (LNCS 218) [483], 417–426, 1986.

(4) G. Faltings (July 1995): The Proof of Fermat's Last Theorem by R. Taylor and A. Wiles. Notices of the AMS 42 (7): 743–746. ISSN 0002-9920. July 1995.

(5) I. Blake, G. Seroussi, and N. Smart: Elliptic Curves in Cryptography. Cambridge, U.K.: Cambridge University Press, 1999, vol 265.

(6) J. Lopez and R. Dahab: Improved algorithms for elliptic curve arithmetic in GF(2n). Selected Areas in Cryptography—SAC ’98 (LNCS 1556) [457], 201–212, 1999.

(7) A. Fernandes: Elliptic Curve cryptography. Dr. Dobb’s Journal, December 1999.

(8) RSA Laboratory: FAQ. http://www.rsa.com/rsalabs/node.asp?id=2325

(9) D. Hankerson, A. Menezes, and S. Vanstone: Guide to Elliptic Curve Cryptography. Springer, 2004.

58A Tutorial on Elliptic Curve Cryptography