Elliptic Curve Cryptography (ECC) 전자부품심사팀 한선경
Motivation Basis of modern cryptosystems RSA, Diffie-Hellman key exchange, digital signatures Intractability for mathematical strength discrete logarithm problem(DLP) integer factoring Excessively long key length to ensure secure systems, key sizes must be a minimum of 1024 bits Longer key sizes needed to guarantee security increasing computing power higher computational costs and low scalability
Background EC studied more than 150 years Utilized in devising algorithms for factoring integers primality tests public-key cipher Defined over any field, real numbers complex numbers, etc. Only the finite field for cryptographic purposes
Background Elliptic Curve Cryptography(ECC) Proposed independently in 1985 Neal Koblitz (the University of Washington) Victor Miller (IBM) Yorktown Heights Based on the operations on points of a specific elliptic curve in a field. Found on mathematical intractability of the elliptic curve discrete logarithm problem (ECDLP) Use smaller key lengths (160 – 256 bits) Provide faster public key methods Smaller key sizes reduces disk and bandwidth utilization Wide range of applicability e-commerce, smart cards, and small portable devices No sub-exponential time algorithm to break The finite field for cryptographic purposes GF(2m), GF(p), GF(pm), etc.
Background Easy to Implement Shorter Keys Less Computationally Extensive No Dedicated Processor Patent-Free Secure Content Protection(5C), Mobile Phone(WAP), Smart Cards, etc
Comparison of Security Level (Key Size) Key size (bits) Key Size Ratio RSA ECC Prime Field Binary Field 1:6 1024 160 163 1:9 2048 224 233 1:12 3072 256 283 1:20 7680 384 409 1:30 15360 521 571 1:8 1536 192 193 Symmetric Cipher(AES) 80 112 128 96 1:5 704 131 64 I.F.Blake, G.Seroussi, N.P.Smart, Elliptic Curve in Cryptography, Cambridge University Press, 1999. Certicom Corporation, “Certicom Website,” Available: http://www.certicom.com/index.php?action=res,ecc_faq.
Discrete Logarithm Problem Discrete Logarithm Problem (DLP) Problem: For a general group G, given group elements and , find an integer x such that x is called the discrete log of to the base , and is unique modulo the order of . Elliptic Curve Discrete Logarithm Problem (ECDLP) Problem: Given points P and Q on E, defined in finite field as, with ord(P)=n. Find an integer k with 1 k n-1, such that, Q = kP
Scalar Multiplication and ECDLP k, P Q = kP Efficient ECDLP (Elliptic Curve Discrete Logarithm Problem) P, Q k s.t. Q = kP - Computationally infeasible - Hence, security of elliptic curve based cryptosystems is based on this problem. ECDLP more complex than DLP over finite fields No index calculus methods exists
Finite Field Arithmetic ECC Hierarchy Elliptic curve cryptography Applications e-Commerce, Smart cards, Digital money, Secure communications, etc. EC protocols Key exchange, Authentication protocols, etc. EC primitives Key-pair generation, Signature and Verification Elliptic curve processor EC Operations II Scalar multiplication Q = k·P EC Operations I Point doubling Q = 2P Point addition R = P + Q Finite Field Arithmetic Multiplication, Addition and Inversion
What is Elliptic Curve?
What is Elliptic Curve? General Equation Typical Equation
Definition of Elliptic Curves over Fields defined as the set of points (x,y) satisfying the Weierstrass equations of the form The Weierstrass equation General equation y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 where ai R Field characteristic = 2 : GF(2m) y2 + xy = x3 + ax2 + b where a, b GF(2m), b ≠ 0 Field characteristic > 3 : GF(p) y2 = x3 + ax + b where a, b GF(p), 4a3+27b2 ≠ 0 (mod p) 8 6 4 2 -2 -4 -6 -8 -4 -3 -2 -1 1 2 3 4 5
Point at Infinity Addition operation on the points of a EC Addition is commutative and associative Define the inverse of the point P=(x,y) -P = (x,-y) if q=p prime = (x, x+y) if q=2m The point at infinite O P + O = P P+ (-P) = O for all points P A point O exists which has the role of group identity
EC over Real Numbers defined as the set of points (x,y) satisfying an equation of the form: y2 = x3 + ax + b, where x, y, a and b are real numbers x3 + ax + b contains no repeated factors, or equivalently if 4a3 + 27b20 then the elliptic curve can be used to form a group. 8 6 4 2 -2 -4 -6 -8 -4 -3 -2 -1 1 2 3 4 5
Points over Finite Field F23 The 23 points which satisfy this equation are: (0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5) (13,18) (15,3) (15,20) (16,8) (16,15) (17,10) (17,13) (18,10) (18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17)
Points over Finite Field F23 The point (9,5) satisfies this equation since: Negative Point over Fq
Points over Finite Field F2m The 15 points which satisfy this equation are:
Operations on Elliptic Curves[1] Point Addition: R = P +Q Draw the line through P and Q. Then this line intersects the elliptic curve in a third point. Define R = P + Q as the reflection of this point in the x-axis. P = (x1 , y1) and Q = (x2 , y2) , then R = P + Q = (x3 , y3) x3 = 2 - x1 - x2 y3 = (x1 - x3) -y1 where = (y2 - y1) / (x2 - x1)
Operations on Elliptic Curves[2] Point Doubling: R = 2P Draw the tangent line to the curve at P. Then this line intersects the curve in a second point. Define R = 2P as the reflection of this point in the x-axis. P = (x1 , y1) then R = 2P = (x3 , y3) x3 = 2 - x1 - x2 y3 = (x1 - x3) -y1 where = (3x12 + a) / 2y1
Operations on Elliptic Curves[3] Scalar Multiplication : kP = P + P + .... + P For a nonnegative integer k and a point P, scalar multiplication kP is defined as kP = (k-1)P + P for k > 0. adding k-1 copies of P to itself where k is a positive integer P is a point on an EC 0P = O, for k = 0, where O is the “point at infinity” which is the additive identity element. (-n)P = n(-P)
Efficient Scalar Multiplication Algorithms Primary goal when implementing Reducing the number of operations Minimizing the Hamming weight of the digit(multiplier) Methods Binary method Signed binary method M-ary method Modified m-ary method Frobenius method Window method Sliding window method NAF(non-adjacent form) method Signed m-ary windows method Montgomery method (binary case)
Binary Method : addition chain To compute Q = kP = P + P + .... + P represent k as a binary form. scan each bit of k from left to right. if the bit is 1, do a doubling and an addition. if the bit is 0, do a doubling only. Example: 61P = (1, 1, 1, 1, 0, 1)(2)P P DBL 2P 1 ADD P 3P 6P 7P 14P 15P 30P 60P Q = 61P 10 11 110 111 1110 1111 11110 111100 111101
Signed Binary Method : addition-subtraction method Use the following facts. For a point P on an elliptic curve, computation of an additive inverse –P is almost free. For example, on y2 = x3 + ax + b, –P is the reflection of P in the x-axis. Hence, a subtraction P - Q has the same complexity as that of an addition P +Q. P = (x, y) -P = (x, -y)
Signed Binary Method To compute Q = kP, convert k to a signed binary representation k’ with smaller number of nonzero digits than k. if a digit is 1, do a doubling and an addition. if a digit is –1, do a doubling and a subtraction. if a digit is 0, do a doubling only. Example: 61P = (26 - 22 +1)P = (1, 0, 0, 0,-1, 0, 1)P P DBL 2P 1 4P 8P -1 10 100 1000 16P 10000 SUB 15P 10001 30P 100010 60P 1000100 ADD Q = 61P 1000101
AMV method In many elliptic curve based systems, we compute kP for a randomly chosen k. [Agnew, Mullin, Vanstone 93] Choose special k’s that have small HW(k) to reduce the number of additions. Specifically, generate random k’s of length m in a binary form with HW(k) = w for a fixed small w. One can control the Hamming weight, and thus the number of additions.
AMV method Example: m = 8, w = 3 k = (1, 0, 1, 0, 0, 0, 0, 1) 0. Initially, there are 8 empty bits. 1. Choose 3 random positions for ‘1’. 2. Set them as ‘1’ and others as ‘0’. For kP, we need 7 doublings and 2 additions. k = (1, 0, 1, 0, 0, 0, 0, 1)
Representation of Points Affine coordinates A finite point is specified by two elements x, y in GF(q). The point at infinite O has no affine coordinates. For internal computation O = (0,0) for GF(2m) and GF(p), b0 = (0,1) for GF(p), b=0 Projective coordinates 나눗셈 회피방법 A finite point is specified by three elements X, Y, and Z X = x, Y = y, Z = 1 x = X/Z2, y = Y/Z3 Not unique because (X,Y,Z) = (2X, 3Y, Z) for every nonzero The point at infinity : O = (2, 3, 0) where 0
Coordinates System Affine y2 + xy = x3 + ax2 + b Standard Projective (X:Y:Z) <-> (X/Z, Y, Z) = (x, y) Jacobian Projective (X:Y:Z) <-> (X/Z2, Y/Z3) = (x, y) New Projective (Lopez & Dahab, 1998) (X:Y:Z) <-> (X/Z, Y/Z2) = (x, y)
Coordinates System M: Field Multiplication 8 S S: Field Squaring Coordinate system EC_Add EC_Add (mix) Double Affine 1I, 2M, 1S - Standard Projective 13M, 5S 12M, 1S 7M, 5S Jacobian Projective 14M 10M, 4S 5M, 5S New Projective 13M, 6S 9M, 4S 4M, 5S M: Field Multiplication 8 S S: Field Squaring I: Field Inversion 64 – 80 S
Affine Elliptic Full Addition (prime case) P2 = P0 + P1 1. If P0 = O, then P2 P1 and stop. 2. If P1 = O, then P2 P0 and stop. 3. If x0 x1, then 3.1 (y0 - y1)/(x0 - x1) mod p. 3.2 Go to step 7. 4. If y0 y1, then P2 O and stop. 5. If y1 = 0, then P2 O and stop. 6. (3x12 + a)/(2y1) mod p. 7. x2 2 - x0 - x1 mod p. 8. y2 (x1 - x2) - y1 mod p. Required operation 3 or 4 modular multiplication 1 modular inversion To subtract the point P = (x, y), add the point –P = (x, -y).
Projective Elliptic Doubling(prime case) P2 = 2P1 1. M = 3X12 + aZ14 2. Z2 = 2Y1Z1 3. S = 4X1Y12 4. X2 = M2 – 2S 5. T = 8Y14 6. Y2 = M(S – X2) - T Requirement 10 field multiplication 5 temporary variables(registers) If a is small enough 9 field multiplication If a = p-3 8 field multiplication In the case of binary field 5 squarings, 5 multiplications 4 temporary variables
Projective Elliptic Addition(prime case) P2 = P0 + P1 1. U0 = X0Z12 2. S0 = Y0Z13 3. U1 = X1Z02 4. S1 = Y1Z03 5. W = U0 - U1 6. R = S0 - S1 7. T = U0 + U1 8. M = S0 + S1 9. Z2 = Z0Z1W 10. X2 = R2 - TW2 11. V = TW2 – 2X2 12. 2Y2 = VR – MW3 Requirement 16 field multiplication 7 temporary variables(registers) In the case Z1 = 1 11 field multiplication 6 temporary variables(registers) In the case of binary field 3 squarings, 10 multiplications 7 temporary variables