Elliptic curve cryptography and zero knowledge proof

Elliptic Curve Cryptography and Zero Knowledge Proof

Nimish Joseph

AGENDA

• Mathematical Foundations

• Public Key Cryptography

• Elliptic Curve

• Elliptic Curve Cryptography

• Elliptic Curve over Prime Fields

• Zero Knowledge Proof

06-Nov-2013 2 ECC and Zero Knowledge Proof

Let’s Build the Foundation!

Mathematical Background for Cryptography

• Modulo Arithmetic

d=n*q + r, 0 ≤r<n.

we say this as “d is equal to r modulo n”

r ≡ d (mod n)

5 ≡ 26 (mod 7)


Group

• Basic algebraic structure

• A pair <G,*>, where G is a set and * is a binary operation such that the following hold

Closure

Associativity

Identity Element

Inverse

< Zn, +n >


Ring

A triplet < R, +, *>, where + and * are binary operations and R is a set satisfying the following properties:

<R, +> is a commutative group For all x, y, and z in R x*y is also in R x*(y*z)=(x*y)*z x*(y+z)= (x*y)+(x*z ) < Zn, +n, *n>


Fields

• <R, +, * > is a commutative ring with :

R has a multiplicative identity

Each element, x, in R (except for 0) has an inverse element in R , denoted by x-1

<Zn, +n, *n > where n is prime.


Cryptography - Basics

• Private Key Cryptography

• Public Key Cryptography


Public-Key Cryptosystems

Secrecy: Only B can Decrypt

the message

Authentication: Only A can

generate the encrypted message 06-Nov-2013 9 ECC and Zero Knowledge Proof

Public-Key Cryptography


Public-Key Cryptography


RSA

• Choose two large primes p and q

• n=p*q

• φ(n)= (p-1)*(q-1)

• Choose e, such that gcd(e, φ(n)) = 1

• Compute d, such that d = e-1mod φ(n)

C = Me mod n

M= Cd mod n


Discrete Logarithmic Problem

y = gx mod p

Challenge :

Given y, g and p (g and p very large) it is not VERY EASY(impossible) to calcuate x.


Diffie-Hellman Key Exchange

ga mod p

gb mod p

K = (gb mod p)a = gab mod p K = (ga mod p)b = gab mod p


El Gamal Encryption

• K=gamodp. (p,g,K) public and (a) private

• Choose r such that gcd(r,p-1)=1

• C1= gr mod p

• C2= (m*Kr) mod p... m is the message

Sends(C1, C2)

• To Decrypt C1-a*C2 mod p =m


Elliptic Curve Cryptography

Elliptic Curve Cryptography

• Elliptic Curve (EC) systems as applied to cryptography were first proposed in 1985 independently by Neal Koblitz and Victor Miller.

• The discrete logarithm problem on elliptic curve groups is believed to be more difficult than the corresponding problem in (the multiplicative group of nonzero elements of) the underlying finite field.


What Is Elliptic Curve Cryptography (ECC)?

• Elliptic curve cryptography [ECC] is a public-key cryptosystem just like RSA, Rabin, and El Gamal.

• Every user has a public and a private key.

– Public key is used for encryption/signature verification.

– Private key is used for decryption/signature generation.

• Elliptic curves are used as an extension to other current cryptosystems.


Using Elliptic Curves In Cryptography

• The central part of any cryptosystem involving elliptic curves is the elliptic group.

• All public-key cryptosystems have some underlying mathematical operation.

– RSA has exponentiation (raising the message or ciphertext to the public or private values)

– ECC has point multiplication (repeated addition of two points).


General form of a EC • An elliptic curve is a plane curve defined by an

equation of the form

baxxy 32

Examples


EC as a group

An Elliptic Curve is a curve given by an equation

y2 = f(x) Where f(x) is a square-free (no double roots) cubic or a quartic polynomial

y2 = x3 + ax + b 4a3 + 27b2 ≠ 0 EC(-3,2)

So y2 = x3 is not an elliptic curve, but y2 = x3-1 is


Elliptical Curve as a Group - Properties

• P + Q = Q + P (commutativity)

• (P + Q) + R = P + (Q + R) (associativity)

• P + O = O + P = P (existence of an identity element)

• there exists ( − P) such that − P + P = P + ( − P) = O (existence of inverses)


Elliptic Curve Picture

• Consider elliptic curve E: y 2 = x 3 - x + 1

• If P1 and P2 are on E , we can define

R = P 1 + P 2

as shown in picture

• Addition is all we need

P1

P2

R

x

y


Case 1 : R’ ≠P1, R’≠ P2, R’≠ 0

• P1+P2 = -R’ = R

• R = (x3,y3)

• Let y=mx+c

• m= (y2-y1)/(x2-x1)

• y2 = (mx+c)2 = m2x2+2mxc+c2

• x3+ax+b = m2x2+2mxc+c2

• x3 - m2x2 + (a-2mc)x + (b- c2 ) = 0


• (x-x1)(x-x2)(x-x3)=0

• x3-x2 (x1+x2+x3) + x (x1x2+x2x3+x3x1) – x1x2x3 = 0

• x3 = m2 –x1 –x2 • m= ((-y3)-y1)/(x3-x1)

• y3= -y1 +m(x1-x3)


P1

Case 2 : P1= -P2 or R’ = 0

P2


Case 3: R’=P1 or R’=P2

P1

P2

R

Tangent Line to EC at P2


Case 4 : Doubling of Point P

P

2*P

R Tangent Line to EC at P


P1=P2

• 2y * dy/dx =3x2 + a

• Slope of the tangent m = dy/dx = (3x2 + a)/2y

• At (x1,y1) = (3x12 + a)/2y1

• x3 = m2 –2x1

• y3= -y1 +m(x1-x3)


Work Out !

• EC(-1,1).

A(1,-1) B( 1/4, 7/8). A+B = ?

• m = (-1-7/8)/(1-1/4) = -5/2

• x3 = (-5/2)2 -1 -1/4 =5

• y3 = -(-1)+(-5)/2*(1-5) = 11

(5,11)


Elliptic Curve over Prime Fields

• Points on the curve y2 =x3 +2x +4

0

(0,2) (0,11) (2,4) (2,9) (5,3) (5,10)

(7,6) (7,7) (8,5) (8,8) (9,6) (9,7)

(10,6) (10,7) (12,1) (12,11)


Hasse’s Theorem

p +1 -2√p ≤ #EC(Fp) ≤ p+1+2√p

Establishes the tight bounds on the number of points on the EC


Work Out!

• EC(2,4) over F13

• A = (2,4) B = (8,5) . Compute A+B

m = (5-4)/(8-2) mod 13 =11

x3 = (112 -2 -8) mod 13 = 7

y3 = (-4 +11*(2-7)) mod 13 = 6

A+B =(7,6)

• Compute 2A = (8,5)


ECs Over Binary Fields

• y2+xy =x3 +ax2 +b, b!=0 • A=(x,y) : -A = (x,x+y)

• For adding two points

m= (y2+y1)/(x2+x1) x3 = m2+m +x1 +x2 + a y3 = m(x1+x3) +x3 +y1

• Point doubling m = x1 +(y1/x1) x3 = m2+m+a y3 = x1

2 +(m+1)*x3


Discrete Logarithm Problem on Elliptic Curves

• The problem of computing k given the EC parameters, G and kG, is called the discrete log problem for points on an elliptic curve.

• This problem is known to be infeasible in EC groups beyond 2120 elements


Computing kG

• kG = G + G + ...+ G k times

• To compute 168G , compute the series obtained by doubling the point,

2G, 4G, 8G, 16G, 32G,... • Now 168 = 10101000 in binary 168G = 128G+32G+8G O(log k)


Diffie-Hellman Modified

• Select <p,a,b,G,n,h>

• Alice chooses x and send xG

• Bob chooses y and send yG

• Alice on receipt compute x(yG) =xyG

• Bob on receipt compute y(xG) = xyG


El Gamal Modified

• k= aG

• Choose r; Compute rG

• Compute m + rk

• Send <rG, m + rk>

• To decrypt a(rG) = rk

• m + rk – rk = m


Comparison of key sizes for same level of security

ECC

• 110

• 163

• 256

• 384

• 512

RSA

• 512

• 1024

• 3072

• 7680

• 15360


RSA vs ECC Timings

• To encrypt ECC takes nearly 10 times of that of RSA upto a key size of 384(ECC) and 7680(RSA).

• For Decryption RSA takes more time for a key size higher than 1024 when compared to ECC (163)


Applications of ECC

• Many devices are small and have limited storage and computational power

• Where can we apply ECC? – Wireless communication devices

– Smart cards

– Web servers that need to handle many encryption sessions

– Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems


A Conference on ECC

• ECC 2013: https://www.cosic.esat.kuleuven.be/ecc2013


https://www.cosic.esat.kuleuven.be/ecc2013

Zero Knowledge Proof

Zero Knowledge Proofs (ZKP)

• Goldwasser, Micali, and Rackoff, 1985.

• ZKP instance of Interactive Proof System

• Interactive Proof Systems

– Challenge-Response Authentication

– Prover and Verifier

– Verifier Accepts or Rejects the Prover


ZKP

• Zero knowledge Transfer between the Prover and the Verifier

• The verifier accepts or rejects the proof after multiple challenges and responses

• Probabilistic Proof Protocol

• Overcomes Problems with Password Based Authentication


Zero Knowledge Proofs

• Introduction

• Properties of ZKP

• Advantages of ZKP

• Examples

• Fiat-Shamir Identification Protocol

• Real-Time Applications


Zero Knowledge Proofs (ZKP)

• Goldwasser, Micali, and Rackoff, 1985.

• ZKP instance of Interactive Proof System

• Interactive Proof Systems

– Challenge-Response Authentication

– Prover and Verifier

– Verifier Accepts or Rejects the Prover


Properties of ZKP

• Completeness

– Succeeds with high probability for a true assertion given an honest verifier and an honest prover.

• Soundness

– Fails for any other false assertion, given a dishonest prover and an honest verifier

• Zero Knowledge


Advantages of ZKP

• As name Suggests – Zero Knowledge Transfer

• Computational Efficiency – No Encryption

• No Degradation of the protocol

• Based on problems like discrete logarithms and integer factorization


Classic Example

• Ali Baba’s Cave

Alice has to convince Bob She knows the secret to open the cave door without telling the secret

(source: http://www.rsasecurity.com/rsalabs/faq/2-1-8.html)


Fiat-Shamir Identification Protocol

• 3 Message Protocol • Alice A, the Prover and Bob B, the Verifier A random modulus n, product of two large prime numbers p

and q generated by a trusted party and made public • Prover chooses secret s relatively prime to n • prover computes v = s2 mod n, where v is the public key A B : x = r2 mod n A B : e { 0,1} A B : y = r * se mod n. Is y2 = x * ve ?


Fiat-Shamir Identification Protocol (contd)

• Alice chooses a random number r (1 r n-1)

• Sends to Bob x = r2 mod n – commitment

• Bob randomly sends either a 0 or a 1 ( e { 0,1}) as his challenge

• Depending on the challenge from Bob, Alice computes the response as y = r if e = 0 or otherwise y = r*s mod n

• Bob accepts the response upon checking y2 x * ve mod n


• After many iterations, with a very high probability Bob can verify Alice’s identity

• Alice’s response does not reveal the secret s (with y = r or y = r* s mod n)

• An intruder can prove Alice’s identity without knowing the secret, if he knows Bob’s challenge in advance:

– Generate random r

– If expected challenge is 1, send x = r2/v mod n as commitment, and y = r as response

– If expected challenge is 0, send x = r mod n as commitment

• Probability that any Intruder impersonating the prover can send the right response is only ½

• Probability reduced as iterations are increased

• Important - Alice should not repeat r

Fiat-Shamir Identification Protocol (contd)


Applications

• Watermark Verification

– Show the presence of watermark without revealing information about it

– prevents from removing the watermark and reselling multiple duplicate copies

• Others – e-voting, e-cash etc.


References

• Network Security and Cryptography, Bernard Menezes • I. Blake, G. Seroussi, and N. Smart, Elliptic Curves in Cryptography, London

Mathematical Society 265, Cambridge University Press, 1999 • Overview of Zero-Knowledge Protocols, Jeffrey Knapp • http://en.wikipedia.org/wiki/Elliptic_curve_cryptography as on November

4, 2013 • Koblitz, N. (1987). "Elliptic curve cryptosystems". Mathematics of

Computation 48 (177): 203–209. JSTOR 2007884 • Menezes, A.; Okamoto, T.; Vanstone, S. A. (1993). "Reducing elliptic curve

logarithms to logarithms in a finite field". IEEE Transactions on Information Theory 39

• K. Malhotra, S. Gardner, and R. Patz, Implementation of Elliptic-Curve Cryptography on Mobile Healthcare Devices, Networking, Sensing and Control, 2007 IEEE International Conference on, London, 15–17 April 2007 Page(s):239–244


References

• D. Hankerson, A. Menezes, and S.A. Vanstone, Guide to Elliptic Curve Cryptography, Springer-Verlag, 2004

• http://en.wikipedia.org/wiki/Zero-knowledge_proof as on November 4, 2013

• Stinson, Douglas Robert (2006), Cryptography: Theory and Practice (3rd ed.), London: CRC Press, ISBN 978-1-58488-508-5

• Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004). "PRIMES is in P". Annals of Mathematics 160 (2): 781–793.

• Theory of Computing Course, Cornell University 2009, Zero knowledge proofs

• A Survey of Zero-Knowledge Proofs with Applications to Cryptography, Austin Mohr Southern Illinois University at Carbondale


THANK YOU!!

~Nimish Joseph

Q&A

Elliptic curve cryptography and zero knowledge proof

Education

p commutativity p

r associativity p

c2 mod p

p existence

knowledge proof06

knowledge proof14

knowledge proofsecrecy

knowledge proof23