Presentation is loading. Please wait.

Presentation is loading. Please wait.

Giuseppe Bianchi Lecture 8: Elliptic Curve Crypto A (minimal) introduction.

Published byMartina Stevens Modified over 7 years ago

Similar presentations

Presentation on theme: "Giuseppe Bianchi Lecture 8: Elliptic Curve Crypto A (minimal) introduction."— Presentation transcript:

1 Giuseppe Bianchi Lecture 8: Elliptic Curve Crypto A (minimal) introduction

2 Giuseppe Bianchi Why bothering with ECC?  Computational security = Hard problems  Easy in one way  Hard in the other way  Example: discrete logarithm  Z*(p), p>2 prime, group order q  x  g x mod p easy  g x  x mod p hard  Not restricted to Z*(p), can be any cyclic group Gp 2^x mod 7919

3 Giuseppe Bianchi Why bothering with ECC?  Same problem (e.g. Dlog, factoring), different “hardness” in different groups!  Dlog in Z*(p): exp(O(n 1/3 ))  Dlog in EC: exp(O(n 1/2 )) Symm key equivmodulus size 80 bits 1024 bits 128 bits 3072 bits 256 bits 15360 bits Elliptic Curve 160 bits 256 bits 512 bits EC scales well (so far) with increased security parameter!! Obvious long term deployment choice (now clear why so many new EC ciphers in TLS) !

4 Giuseppe Bianchi Elliptic curves  They are NOT ellipses!  They are special cubic curves  Named from elliptic integrals  General (Weierstrass) expression y 2 = x 3 -3x+1 y 2 = x 3 +x+1 y 2 = x 3 -1,

5 Giuseppe Bianchi We need an operation  We want an operation  call it “+” or “  ”  historically called +, though someone today may prefer mult. notation  So that P+Q=R  R BELONGS to the curve  AND the operation gives algebraic group structure

6 Giuseppe Bianchi Elliptic points addition P+Q (geometric)

7 Giuseppe Bianchi Elliptic points addition P+P (geometric)

8 Giuseppe Bianchi Elliptic points addition P-P (geometric)  “complete” the curve by adding point O=-O to infinity  P+O=P  O is (additive) zero for the group of EC points  Now clear why the “inversion”

9 Giuseppe Bianchi General rule  If three points of an elliptic curve lay on a same line, their sum is 0

10 Giuseppe Bianchi Algebraic expressions  Can be derived from geometric interpretation

11 Giuseppe Bianchi P≠Q sketch P Q R -R

12 Giuseppe Bianchi P=Q sketch P R -R

13 Giuseppe Bianchi Elliptic curve group (over Zp)

14 Giuseppe Bianchi EC over modular integers  Geometric interpretation  Over real numbers  Our applications  Over modular integers  Define “curve” as  E p (x,y) such that  x,y integers in Zp  y 2 mod p = x 3 + a x + b mod p  Finite field  finite # of points

15 Giuseppe Bianchi Example: x 3 +x+1 mod 5  All points:  pairs (i,j), i in [0,4], j in [0,4] s.t. j 2 =i 3 +i+1 mod 5  And O  Result: 9 points  Let P=(0,1)  k P=P+P+…+P generates all the points

16 Giuseppe Bianchi example computation Many online calculators available e.g. http://www.csulb.edu/~wmurray/java/WillEllipticApplet.html

17 Giuseppe Bianchi Which points in “larger” group? No geometric “look&feel” anymore… no problem!

18 Giuseppe Bianchi EC group  (E(Z p ),+) is a group 1.Addition closed on set E 2.Addition is commutative 3.O is identity wrt addition 4.Every point P in E has inverse –P wrt addition 5.Associative property holds Harder to prove in generality, but holds Abelian group

19 Giuseppe Bianchi EC Group properties for crypto  Easy/hard operation: [k]P  Given P and k, easy to compute [k]P  Given P and [k]P, hard to compute k  P = elliptic curve point on group  k = integer mod group order  “Equivalent” to Dlog problem on Zp  If we had used multiplicative notation: k  P k  CRUCIAL: DEPEND ON THE CHOSEN CURVE!!!  Use curves recommended by standards!!!!  Curves not only in Zp, but also in GF(2 m ) – Binary curves: convenient!  Different EC curves satisfy different assumptions!  We’ll see (and exploit!) later on: e.g. CDH hard but DDH easy

20 Giuseppe Bianchi Multiplication (exponentiation)  Group order 160 bits  q=2 160  Major cost: multiplication  analogous to exp  Uses very large factors k (160 bits)  Efficiency: approx 1.5 Log 2 q  i.e. linear with the number of bits  Basic algorithm: double and sum »(analogous to square & multiply)

21 Giuseppe Bianchi Example  Goal: compute [1437]P  Express in bits  1437 10 =10110011101 2  Initialize first line  Differs if 0 or 1  Start from 2° lsb to msb  For every bit  Double;  If 1: add to result  Complexity:  O(nbit) x2  O(nbit/2) additions No algorithm such as this for the opposite problem!! That’s why it is hard!

22 Giuseppe Bianchi Elliptic curve crypto (examples)

23 Giuseppe Bianchi EC crypto  Invented in 1985  Neal Koblitz  Victor Miller  (independently)  Security: based on hardness of:  Given P and [k]P, hard to compute k  Elliptic Curve Discrete Log Problem – ECDLP  Much shorter keys than RSA/DLP  And better scaling! Symm key equivmodulus size 80 bits 1024 bits 128 bits 3072 bits 256 bits 15360 bits Elliptic Curve 160 bits 256 bits 512 bits

24 Giuseppe Bianchi ECDH/ECDSA  Topmost used, since included in US National Security Agency – suite B ciphers  Suite B: NIST-approved, promoted in 2005, adopted in TLS, IPsec, S/MIME, etc  Algorithms:  Encryption: AES 128/256  Key Exchange: ECDH  256 and 384 bit prime curves  Digital Signature: Elliptic Curve Digital Signature Algorithm (ECDSA)  256 and 384-bit prime moduli  Hashing: SHA-256 and SHA-384

25 Giuseppe Bianchi ECDH  Exactly as DH  Just use as group an EC group! C x, [x]G secret = [xy]G S y, [y]G secret = [yx]G G, [x]G (prime p of Zp, curve param a and b, group order q) [y]G

26 Giuseppe Bianchi ECDSA  Elliptic Curve Digital Signature Algorithm  EC version of DSA  Invented by Vanstone  Proposed by NIST in august 1991  adopted by NSA Suite B  Variant of ElGamal  Dlog based  Famous also for other reasons  Broken in Playstation 3, 2010  Not because ECDSA is vulnerable…  Because of incorrect usage, see later

27 Giuseppe Bianchi Let’s first remember DSA (simplified)  Multiplicative group  Z*(p), p>2 prime  Large prime q in group order  Usually p = 2q+1 (safe prime)  Generator  g s.t. g x mod p spans all group elements  Private/Public keys  d, y = g d mod p

28 Giuseppe Bianchi Let’s first remember DSA (simplified)  Signature for message m  Random k in (1,q)  Compute r = (g k mod p) mod q  Compute s = k -1 (H(m)+ d r) mod q  Signature: (r,s)  Verification  Compute u 1 = s -1 H(m) mod q  Compute u 2 = s -1 r mod q  Verify ((g u1 y u2 ) mod p) mod q = r

29 Giuseppe Bianchi ECDSA: setup  Private key:  d = random integer in [1,n-1]  Q = dP Public param & pubkey: Selected Elliptic curve over Z p Group Order (prime, large) Group Generator Public Key

30 Giuseppe Bianchi ECDSA: signature generation  k in [1,n-1]: random integer  ESSENTIAL: MUST BE  unique per each signature  unpredictable  Compute kP=(x 1,y 1 ) EC point  x 1 is integer, then  Compute r = x 1 mod n  Compute k -1 mod n  Hash function H(.) e.g. SHA Signature: (r,s) s=k -1 (H(m) + d r)

31 Giuseppe Bianchi ECDSA: verification  From message m  compute H(m)  From s  compute w=s -1 mod n  Compute integers:  u 1 = H[m] w mod n  u 2 = r w  Compute elliptic point  u 1 P + u 2 Q = (x 0,y 0 )  Compute  v = x 0 mod n Verification: v=r Note: k never disclosed!

32 Giuseppe Bianchi What if k predicted??  Private key would be disclosed!

33 Giuseppe Bianchi What if k repeated??  Private key would be disclosed! This is what happened with Sony’s Playstation 3

Download ppt "Giuseppe Bianchi Lecture 8: Elliptic Curve Crypto A (minimal) introduction."

Similar presentations

Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”

Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”
Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.

Chapter 4 – Finite Fields. Introduction will now introduce finite fields of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key.
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.
Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,

Digital Signature Algorithm (DSA) Kenan Gençol presented in the course BIL617 Cryptology instructed by Asst.Prof.Dr. Nuray AT Department of Computer Engineering,
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography.

Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Electronic Payment Systems Lecture 5: ePayment Security II

Electronic Payment Systems Lecture 5: ePayment Security II
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:

CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:
Cryptography and Network Security Chapter 13

Cryptography and Network Security Chapter 13
Lecture 6: Public Key Cryptography

Lecture 6: Public Key Cryptography
Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall 2011 1.

Information Security and Management 13. Digital Signatures and Authentication Protocols Chih-Hung Wang Fall
Bob can sign a message using a digital signature generation algorithm

Bob can sign a message using a digital signature generation algorithm
By Abhijith Chandrashekar and Dushyant Maheshwary.

By Abhijith Chandrashekar and Dushyant Maheshwary.

Similar presentations

Ads by Google