Download presentation
Presentation is loading. Please wait.
Published byErica Sullivan Modified over 8 years ago
1
Cryptography Hyunsung Kim, PhD kim@kiu.ac.kr University of Malawi, Chancellor College Kyungil University February, 2016
2
2/16 Contents 12. Public Key Cryptography 12.5 Elliptic Curve Cryptography - EC Diffie-Hellman - EC ElGamal Message Exchange
3
Why ECC Index calculus : Fastest method we know to break original DH and RSA (RSA-2012, RSA-2048) 1975, continued fraction factorization method (CFRAC) -2 120, 2 170 1977, linear sieve (LS) -2 110, 2 160 1982, quadratic sieve (QS) -2 100, 2 150 1990, number0field sieve (NFS) -2 80, 2 112 1994, function-field sieve (FFS) 2006, medium-prime FFS/NFS 2013, x q -x FFS “cryptopocalypse” 3/16
4
Elliptic Curve Cryptography Elliptic curves are used in public key cryptography because you can use shorter keys than for RSA and cryptosystems whose security is based on the FFDLP An elliptic curve is a curve described by an equation of the form y 2 +a 1 xy+a 3 y=x 3 +a 2 x 2 +a 4 x+a 6 y 2 +a 1 xy+a 3 y=x 3 +a 2 x 2 +a 4 x+a 6 and an extra O -point and an extra O -point 4/16
5
Elliptic Curve Cryptography Definition Let be a field. An elliptic curve over is a smooth curve : y 2 +a 1 xy+a 3 y=x 3 +a 2 x 2 +a 4 x+a 6 (1) in so called “long Weierstrass form” where the coefficients a i lie in and the discriminant of , 0 in, where is defined as = -d 2 2 d 8 -8d 4 3 -27d 6 2 +9d 2 d 4 d 6 with d 2 = a 1 2 +4a 2 ; d 4 = 2a 4 +a 1 a 3 ; d 6 = a 3 2 +4a 6 ; d 8 = a 1 2 a 6 +4a 2 a 6 -a 1 a 3 a 4 +a 1 a 3 2 +a 4 2 ; together with a special point known as the point at infinity, O 5/16
6
Elliptic Curve Cryptography 6/16 This transforms Equation 1 to the equation of an isomorphic curve of the form : y 2 =x 3 +Ax+B (2) : y 2 =x 3 +Ax+B (2) We refer to this simpler form as a short Weierstrass form. A criterion to ensure that the curve in Equation 2 has no singular points. The curve’s discriminant = 4A 3 -27B 2 0
7
Elliptic Curve Cryptography Group law on elliptic curve Elliptic curves are of great use in a number of cryptographic protocols, mainly because it is possible to take two points on such a curve and generate a third point on the same curve In fact, we will show that the points on the elliptic curve generate an additive abelian group This group can then be used to develop a similar instance of the DLP which is the basis for most public key cryptosystems The chord-and-tangent rule for adding two points in () provides () with the needed abelian structure The point at infinity O, is the identity element 7/16
8
Elliptic Curve Cryptography Let be an elliptic curve defined over the field There is a chord-and-tangent rule for adding two points () to give a third point in () Together with this addition operation, the set of polynomial () forms an abelian group with O serving as its identity It is this group that is used in the construction of elliptic cryptographic systems The addition rule is best explained geometrically as 8/16
9
Elliptic Curve Cryptography Addition rule Let P=(x 1, y 1 ) and Q=(x 2, y 2 ) be two distinct points of elliptic curve The sum R of P and Q is defined as First draw a line though P and Q; this line intersects the elliptic curve at a third point Then R is the reflection of this point about the x-axis 9/16
10
Elliptic Curve Cryptography Doubling rule Let P=(x 1, y 1 ) a point on an elliptic curve The double R of P is defined as First draw the tangent line to the elliptic curve at P This line intersects the elliptic curve at a second point Then R is the reflection of this point about the x-axis 10/16
11
Elliptic Curve Cryptography Theorem (Group law on elliptic curves) Let / be an elliptic curve given by y 2 =x 3 +Ax+B. The chord- tangent method defines an addition on the set () of -rational points on ; let P=(x 1, y 1 ) and Q=(x 2, y 2 ) be points on with P, Q O. We then define P+Q=(x 3, y 3 ) as If x 1 x 2 then x 3 = m 2 - x 1 - x 2 and where m=(y 2 - y 1 )/(x 2 - x 1 ) If x 1 = x 2 but y 1 y 2 then P + Q = O If P = Q and y 1 0 then x 3 = m 2 - 2x 1 and y 3 = m(x 1 – x 3 ) – y 1 where m=(3x 1 2 + A)/2y 1 If P = Q and y 1 = 0 then P + Q = O. Also we define P + O = P for all points P on This addition law can be shown to be commutative and associative, effectively making ( (), +) an abelian group 11/16
12
Elliptic Curve Cryptography Example Let p=29, a=4 and b=20, and consider the elliptic curve : y 2 =x 3 +4x+20 Defined over 29 Verify that = 4A 3 -27B 2 0 (mod 29) Thus is indeed an elliptic curve Verify that some of the points in ( 29 ) are the following O, (2,6), (4, 19), (8, 10), (13, 23), (16, 2), (19, 16), (27, 2), (0,7), (2,23), (5,7), (8, 19), (14, 6), (16, 27), (20, 3), … 12/16
13
Elliptic Curve Cryptography Definition (Elliptic Curve DLP) The elliptic curve DLP (ECDLP) is : Given an elliptic curve defined over a finite field q a point P ( q ) of order n and a point Q , find the integer l [0, n-1] such that Q=lP. The integer l is called the discrete logarithm of Q to the base P, denoted l=log P Q The elliptic curve DLP (ECDLP) is : Given an elliptic curve defined over a finite field q a point P ( q ) of order n and a point Q , find the integer l [0, n-1] such that Q=lP. The integer l is called the discrete logarithm of Q to the base P, denoted l=log P Q 13/16
14
Elliptic Curve Cryptography Solving the ECDLP for an elliptic curve over q with q 2 163 (or 2 192 ) is about as hard as solving the FFDLP for q with q 2 1024 or factoring n with n 2 1024 (or 2 8000, respectively) So we can use shorter keys. Another advantage here is that for a given finite field there can be lots of associated elliptic curves 14/16
15
Elliptic Curve Diffie-Hellman Specify q, ( q ) and G Select a random point a A and compute R A = a A G 15/16 AliceBob Symmetric key for AES Select a random point a B a B G Compute R B = a B G q, ( q ), G, R A RBRBRBRB a A Compute SK=R B a A a B Compute SK=R A a B a A = a B Ga A =a B = a B a A G SK = R B a A = a B Ga A = a B R A = a B a A G
16
Elliptic Curve ElGamal 16/16 Select two random numbers k and a A Compute R A =a A G AliceBob Specify q, ( q ) and G Select a random number a B G Compute R B = a B G RARARARA RBRBRBRB M kG Compute R k =kG R B k Compute C=M (R B )k Compute R k a B Compute (R k a B ) -1 Compute M=C (R k a B ) -1 Rk, CRk, CRk, CRk, C Finding k requires solving the ECDLP
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.