ECE578/7 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve Cryptographic Systems Professor Richard A. Stanley, P.E.

Spring 2010© 2000-2010, Richard A. Stanley

ECE578/7 #1

ECE578:Cryptography

7: Elliptic Curve Cryptographic Systems

Professor Richard A. Stanley, P.E.


ECE578/7 #2

Last time…

• Elliptic curves may be useful for obtaining keys to use in asymmetric cryptography

• ECC numbers are an order of magnitude smaller than RSA numbers for equivalent levels of security…we think!

• Elliptic curves must meet certain requirements to be useful


ECE578/7 #3

ECC Drawbacks

• Not as well studied as RSA and DL-base public-key schemes

• Conceptually more difficult.

• Finding secure curves in the set-up phase is computationally expensive


ECE578/7 #4

Elliptic Curve Definition


ECE578/7 #5


ECE578/7 #6

Objective

• Goal: Finding a (cyclic) group (G, o) so that we can use the DL problem as a one-way function.

• We have a set (points on the curve). We “only” need a group operation on the points.


ECE578/7 #7

Abelian Groups

• An abelian group, also called a commutative group, is a group (G, * ) with the additional property that the group operation * is commutative, so that for all a and b in G, a * b = b * a

• Every cyclic group G is abelian


ECE578/7 #8

Elliptic Curves

• An elliptic curve is a plane curve defined by an equation of the form y2 = x3 + ax + b

• The set of points on such a curve (i.e., all solutions of the equation together with a point at infinity) can be shown to form an abelian group

• If the x and y are chosen from a large finite field, the solutions form a finite abelian group


ECE578/7 #9

Why Bother?

• For asymmetric cryptosystems, multiplication on elliptic curves can be used instead of exponentiation in finite fields

• Key sizes seem to increase only linearly for increased security, not exponentially

• Might this be useful in dealing with issues of computational complexity?


ECE578/7 #10

Elliptic Curve Cryptography

Symmetric Key Size

RSA and Diffie-Hellman Key Size

Elliptic Curve Key Size

bits bits bits

80 1024 160

112 2048 224

128 3072 256

192 7680 384

256 15360 512


ECE578/7 #11

Elliptic Curve Cryptography

Security Level Computation Ratiobits DH Cost : EC Cost80 3:1

112 6:1128 10:1192 32:1256 64:1


ECE578/7 #12

Diffie-Hellman Key Exchange-1

• Alice and Bob agree on a large prime, n and g, where g is primitive mod n. These need not be kept secret

• Alice chooses a large random integer x and sends to Bob: X=gx mod n

• Bob chooses a large random integer y and sends to Alice: Y=gy mod n

• NB: x and y are never transmitted


ECE578/7 #13

Diffie-Hellman Key Exchange-2• Alice computes k=Yx mod n• Bob computes k’=Xy mod n• But k = k’ = gxy mod n • Therefore, Bob and Alice now have a secret

key, k, that they can share for communications

• Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k


ECE578/7 #14

Diffie-Hellman Security

• D-H security depends on the difficulty of factoring large numbers (size of n)

• It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search

• Caveats– n must be large

– ((n-1)/2) should also be prime

– g can be small -- even one digit


ECE578/7 #15

Diffie-Hellman Key Exchange (ECC)

• The cryptosystem is completely analogous to D-H in Z*

p

• Setup– Choose E: y2 = x3 + ax + b mod p

– Choose primitive element α = (xα; yα)


ECE578/7 #16

Protocol


ECE578/7 #17

Security


ECE578/7 #18

Attacks

• Only possible attacks against elliptic curves are the Pohlig-Hellman scheme together with Shank's algorithm or Pollard's-Rho method– #E must have one large prime factor pl

– 2160 pl 2250.

• So-called “Koblitz curves" (curves with a; b { 0; 1}• For supersingular elliptic curves over GF(2n), DL in elliptic

curves can be solved by solving DL in GF(2kn); k 6– stay away from supersingular curves despite of possible

faster implementations.• Powerful index-calculus method attacks are not yet applicable


ECE578/7 #19

Menezes-Vanstone Encryption

• Set-up:


ECE578/7 #20

Encryption


ECE578/7 #21

Decryption


ECE578/7 #22

Disadvantage

• Message expansion factor:

• Which means?


ECE578/7 #23

Implementation

• Hardware:– Approximately 0.2 msec for an elliptic curve

point multiplication with 167 bits on an FPGA

• Software:– One elliptic curve point multiplication aP in

less than 10 msec over GF(2155).– Implementation on 8-bit smart card processor

without coprocessor available


ECE578/7 #24

ElGamal Encryption Scheme

• Published in 1985

• Based on the DL problem in Z*p or GF(2k)

• Extension of the D-H key exchange for encryption


ECE578/7 #25

El Gamal Protocol


ECE578/7 #26

Setup


ECE578/7 #27

Encryption


ECE578/7 #28

Decryption


ECE578/7 #29

How Does It Work?


ECE578/7 #30

Remarks


ECE578/7 #31

Computational Aspects

• Encryption

• Decryption


ECE578/7 #32

Efficiency Issues


ECE578/7 #33

Efficiency (con’t.)


ECE578/7 #34

Security of ElGamal


ECE578/7 #35

Security of El Gamal (con’t.)


ECE578/7 #36

Summary - ECC

• Elliptic curves can be used to produce elements in a finite field that are:– More efficient to generate– More difficult to reconstruct with partial data

• For equivalent security, the key sizes needed with ECC increase linearly; for RSA, they increase exponentially


ECE578/7 #37

Next: The Advanced Encryption Standard (AES)


ECE578/7 #38

Why a New Crypto Standard?

• DES now vulnerable to brute force key search

• 3DES still viable option, but key management a problem

• Implementation speeds in software disappointing

• Need to have national crypto standard even more critical than in the 1970’s


ECE578/7 #39

Basic Facts about AES

• Successor to DES• AES selection process was administered by NIST• Unlike DES, the AES selection was an open (i.e., public)

process• Likely to be the dominant secret-key algorithm in the next

decade• Main AES requirements by NIST:

– Block cipher with 128 I/O bits– Three key lengths must be supported: 128/192/256 bits– Security relative to other submitted algorithms– Efficient software and hardware implementations


ECE578/7 #40

Chronology of the AES Process

• Development announced on January 2, 1997 by the National Institute of Standards and Technology (NIST)

• 15 candidate algorithms accepted on August 20th, 1998• 5 finalists announced August 9th, 1999

– Mars, IBM Corporation– RC6, RSA Laboratories– Rijndael, J. Daemen & V. Rijmen– Serpent, Eli Biham et al.– Twofish, B. Schneier et al.

• October 2nd, 2000, NIST chooses Rijndael as the AES


ECE578/7 #41

Comparison of Contenders


ECE578/7 #42

Blowfish


ECE578/7 #43

Twofish


ECE578/7 #44

Rijndael Overview


ECE578/7 #45

Block Size/Key Length

• Both block size and keylength of Rijndael are variable. Sizes shown below are the ones required by the AES Standard. The number of rounds (or iterations) is a function of the key length:


ECE578/7 #46

Rijndael vs. AES

• AES utilizes a subset of Rijndael capabilities

• Rijndael allows block sizes of 192 and 256 bits, but AES does not permit these larger block sizes

• If larger block sizes are used, the number of rounds must be increased


ECE578/7 #47

Important

• Rijndael does not have a Feistel structure

• Feistel networks do not encryptan entire block per iteration (e.g., in DES, 64/2 = 32 bits are encrypted in one iteration)

• Rijndael encrypts all 128 bits in one iteration. As a consequence, Rijndael has a comparablysmall number of rounds


ECE578/7 #48

Rijndael Structure

• Rijndael is a substitution-permutation network

• Rijndael uses three different types of layers

• Each layer operates on all 128 bits of a block


ECE578/7 #49

Rijndael Layers

• Key Addition Layer: XORing of subkey.• Byte Substitution Layer: 8-by-8 SBox

substitution.• Diffusion Layer: provides diffusion over all

128 (or 192 or 256) block bits. It is split in two sub-layers:– ShiftRow Layer– MixColumn Layer


ECE578/7 #50

Operations

• ByteSubstitution Layer introduces confusion with a non-linear operation.

• ShiftRow and MixColumn stages form a linear Diffusion Layer


ECE578/7 #51

Rijndael Block

Diagram (encryption)


ECE578/7 #52

A Walk Through Rijndael

• One must be very careful when using Wikipedia references. However, this one has been vetted and is accurate as at today:

• http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

• We’ll look at the description of how Rijndael works in some detail


ECE578/7 #53

Affine Transformation

• Mapping between two vector spaces consisting of a linear transformation followed by a translation: X Ax + b

• Preserves:– Co linearity between points, i.e., three points

which lie on a line continue to be collinear after the transformation

– Ratios of distances along a line


ECE578/7 #54

Another View of Byte Substitution

• Splits the incoming 128 bits into 128/8 = 16 bytes.

• Each byte A is considered an element of GF(28) and undergoes the following substitution individually:

B = A-1 GF(28) where P(x) = x8 + x4 + x3 + x + 1


ECE578/7 #55

Byte Substitution Affine Transformation


ECE578/7 #56

All About C

• The vector C = (c7 ··· c0) (representing the field element c7x7 + ··· + c1x + c0) is the result of the substitution:

C = ByteSub(A)• The entire substitution can be realized as a look-up

in a 256x8-bit table with fixed entries• Unlike DES, Rijndael applies the same S-Box to

each byte


ECE578/7 #57

Diffusion Layer

• Unlike the non-linear substitution layer, the diffusion layer performs a linear operationon input words A,B. That means: DIFF(A) DIFF(B) = DIFF(A + B)

• The diffusion layer consists of two sublayers:– ShiftRow SubLayer– MixColumn SubLayer


ECE578/7 #58

ShiftRow SubLayer - 1

• Write an input word A as 128/8 = 16 bytes and order them in a square array:

• Input A = (a0, a1, …, a15)


ECE578/7 #59

ShiftRow SubLayer – 2

• Shift cyclically row-wise as follows:


ECE578/7 #60

MixColumn SubLayer

• Principle: each column of 4 bytes is individually transformed into another column

• How? Each 4-byte column is considered as a vector and multiplied by a 4x4 matrix. The matrix contains constant entries. Multiplication and addition of the coecients is done in GF(28)


ECE578/7 #61

MixColumn SubLayer Matrices


ECE578/7 #62

Rijndael Keys

• Analogous to DES, the key provided with AES is a seed key, which is processed within the system to produce round keys

• The procedure to generate separate round keys from the seed key is known as the Rijndael key schedule


ECE578/7 #63

Key Addition Layer

• Simple bitwise XOR with a 128-bit subkey

• AES (Rijndael) uses a key schedule to expand a short key into a number of separate round keys. This is known as the Rijndael key schedule.

• http://en.wikipedia.org/wiki/Rijndael_key_schedule


ECE578/7 #64

Rijndael Thoughts

• FIPS PUB 197 is the official standard

• Based on what you have seen of how encryption proceeds, can decryption proceed in the same way as for DES?


ECE578/7 #65

Rijndael Block

Diagram (decryption)


ECE578/7 #66

Rijndael Decryption

• Unlike DES and other Feistel ciphers, all of the Rijndael layers must actually be inverted

• How can this be accomplished?


ECE578/7 #67

AES Uses in Defense Systems

• DES and 3DES were never allowed for transmitting classified information

• CNSS Policy #15, FS-1, June 2003 states that AES may be used for classified information, subject to FIPS 140-2– SECRET at all key lengths– TOP SECRET at key lengths of 192 or 256

• Issues/problems?


ECE578/7 #68

Attacks on AES?

• What did you find in your homework?

• Do any of these seem plausible?

• What about in 10-20 years?

• AES has been criticized as being too algebraically deterministic. Your thoughts?



ECE578/7 #69

AES Summary

• AES uses a subset of the capabilities of the Rijndael algorithm

• AES is becoming widely used, and is the default in many common applications

• A change from many of its predecessors, AES is a substitution-permutation network

• AES decryption requires a decryption engine to invert the encryption transforms


ECE578/7 #70

Homework

• Read Stinson, Chapter 3.6

• Research the topic of elliptic curve cryptography. Choose a cryptosystem and describe its advantages and disadvantages. Is it in wide use? Why or why not?

• Some researchers have reported breaking AES. Find one or more of these claims and evaluate its significance or lack thereof.

ECE578/7 #1 Spring 2010 © 2000-2010, Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve Cryptographic Systems Professor Richard A. Stanley, P.E.

Documents

stanley slide

stanley elliptic curves

abelian slide

useful slide

stanley ece578

finite abelian group

x y mod n

expensive slide