Presentation is loading. Please wait.

Presentation is loading. Please wait.

Motivation Basis of modern cryptosystems

Published byJustin McCarthy Modified over 8 years ago

Similar presentations

Presentation on theme: "Motivation Basis of modern cryptosystems"— Presentation transcript:

0 Elliptic Curve Cryptography (ECC)
전자부품심사팀 한선경

1 Motivation Basis of modern cryptosystems
RSA, Diffie-Hellman key exchange, digital signatures Intractability for mathematical strength discrete logarithm problem(DLP) integer factoring Excessively long key length to ensure secure systems, key sizes must be a minimum of 1024 bits Longer key sizes needed to guarantee security increasing computing power higher computational costs and low scalability

2 Background EC studied more than 150 years
Utilized in devising algorithms for factoring integers primality tests public-key cipher Defined over any field, real numbers complex numbers, etc. Only the finite field for cryptographic purposes

3 Background Elliptic Curve Cryptography(ECC)
Proposed independently in 1985 Neal Koblitz (the University of Washington) Victor Miller (IBM) Yorktown Heights Based on the operations on points of a specific elliptic curve in a field. Found on mathematical intractability of the elliptic curve discrete logarithm problem (ECDLP) Use smaller key lengths (160 – 256 bits) Provide faster public key methods Smaller key sizes reduces disk and bandwidth utilization Wide range of applicability e-commerce, smart cards, and small portable devices No sub-exponential time algorithm to break The finite field for cryptographic purposes GF(2m), GF(p), GF(pm), etc.

4 Background Easy to Implement Shorter Keys
Less Computationally Extensive No Dedicated Processor Patent-Free Secure Content Protection(5C), Mobile Phone(WAP), Smart Cards, etc

5 Comparison of Security Level (Key Size)
Key size (bits) Key Size Ratio RSA ECC Prime Field Binary Field 1:6 1024 160 163 1:9 2048 224 233 1:12 3072 256 283 1:20 7680 384 409 1:30 15360 521 571 1:8 1536 192 193 Symmetric Cipher(AES) 80 112 128 96 1:5 704 131 64 I.F.Blake, G.Seroussi, N.P.Smart, Elliptic Curve in Cryptography, Cambridge University Press, 1999. Certicom Corporation, “Certicom Website,” Available:

6 Discrete Logarithm Problem
Discrete Logarithm Problem (DLP) Problem: For a general group G, given group elements  and , find an integer x such that x is called the discrete log of  to the base , and is unique modulo the order of . Elliptic Curve Discrete Logarithm Problem (ECDLP) Problem: Given points P and Q on E, defined in finite field as, with ord(P)=n. Find an integer k with 1 k  n-1, such that, Q = kP

7 Scalar Multiplication and ECDLP
k, P Q = kP Efficient ECDLP (Elliptic Curve Discrete Logarithm Problem) P, Q k s.t. Q = kP - Computationally infeasible - Hence, security of elliptic curve based cryptosystems is based on this problem. ECDLP more complex than DLP over finite fields No index calculus methods exists

8 Finite Field Arithmetic
ECC Hierarchy Elliptic curve cryptography Applications e-Commerce, Smart cards, Digital money, Secure communications, etc. EC protocols Key exchange, Authentication protocols, etc. EC primitives Key-pair generation, Signature and Verification Elliptic curve processor EC Operations II Scalar multiplication Q = k·P EC Operations I Point doubling Q = 2P Point addition R = P + Q Finite Field Arithmetic Multiplication, Addition and Inversion

9 What is Elliptic Curve?

10 What is Elliptic Curve? General Equation Typical Equation

11 Definition of Elliptic Curves over Fields
defined as the set of points (x,y) satisfying the Weierstrass equations of the form The Weierstrass equation General equation y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 where ai  R Field characteristic = 2 : GF(2m) y2 + xy = x3 + ax2 + b where a, b  GF(2m), b ≠ 0 Field characteristic > 3 : GF(p) y2 = x3 + ax + b where a, b  GF(p), 4a3+27b2 ≠ 0 (mod p) 8 6 4 2 -2 -4 -6 -8 -4 -3 -2 -1 1 2 3 4 5

12 Point at Infinity Addition operation on the points of a EC
Addition is commutative and associative Define the inverse of the point P=(x,y) -P = (x,-y) if q=p prime = (x, x+y) if q=2m The point at infinite O P + O = P P+ (-P) = O for all points P A point O exists which has the role of group identity

13 EC over Real Numbers defined as the set of points (x,y) satisfying an equation of the form: y2 = x3 + ax + b, where x, y, a and b are real numbers x3 + ax + b contains no repeated factors, or equivalently if 4a3 + 27b20 then the elliptic curve can be used to form a group. 8 6 4 2 -2 -4 -6 -8 -4 -3 -2 -1 1 2 3 4 5

14 Points over Finite Field F23
The 23 points which satisfy this equation are: (0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5) (13,18) (15,3) (15,20) (16,8) (16,15) (17,10) (17,13) (18,10) (18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17)

15 Points over Finite Field F23
The point (9,5) satisfies this equation since: Negative Point over Fq

16 Points over Finite Field F2m
The 15 points which satisfy this equation are:

17 Operations on Elliptic Curves[1]
Point Addition: R = P +Q Draw the line through P and Q. Then this line intersects the elliptic curve in a third point. Define R = P + Q as the reflection of this point in the x-axis. P = (x1 , y1) and Q = (x2 , y2) , then R = P + Q = (x3 , y3) x3 = 2 - x1 - x2 y3 = (x1 - x3) -y1 where  = (y2 - y1) / (x2 - x1)

18 Operations on Elliptic Curves[2]
Point Doubling: R = 2P Draw the tangent line to the curve at P. Then this line intersects the curve in a second point. Define R = 2P as the reflection of this point in the x-axis. P = (x1 , y1) then R = 2P = (x3 , y3) x3 = 2 - x1 - x2 y3 = (x1 - x3) -y1 where  = (3x12 + a) / 2y1

19 Operations on Elliptic Curves[3]
Scalar Multiplication : kP = P + P P For a nonnegative integer k and a point P, scalar multiplication kP is defined as kP = (k-1)P + P for k > 0. adding k-1 copies of P to itself where k is a positive integer P is a point on an EC 0P = O, for k = 0, where O is the “point at infinity” which is the additive identity element. (-n)P = n(-P)

20 Efficient Scalar Multiplication Algorithms
Primary goal when implementing Reducing the number of operations Minimizing the Hamming weight of the digit(multiplier) Methods Binary method Signed binary method M-ary method Modified m-ary method Frobenius method Window method Sliding window method NAF(non-adjacent form) method Signed m-ary windows method Montgomery method (binary case)

21 Binary Method : addition chain
To compute Q = kP = P + P P represent k as a binary form. scan each bit of k from left to right. if the bit is 1, do a doubling and an addition. if the bit is 0, do a doubling only. Example: 61P = (1, 1, 1, 1, 0, 1)(2)P P DBL 2P 1 ADD P 3P 6P 7P 14P 15P 30P 60P Q = 61P 10 11 110 111 1110 1111 11110 111100 111101

22 Signed Binary Method : addition-subtraction method
Use the following facts. For a point P on an elliptic curve, computation of an additive inverse –P is almost free. For example, on y2 = x3 + ax + b, –P is the reflection of P in the x-axis. Hence, a subtraction P - Q has the same complexity as that of an addition P +Q. P = (x, y) -P = (x, -y)

23 Signed Binary Method To compute Q = kP,
convert k to a signed binary representation k’ with smaller number of nonzero digits than k. if a digit is 1, do a doubling and an addition. if a digit is –1, do a doubling and a subtraction. if a digit is 0, do a doubling only. Example: 61P = ( )P = (1, 0, 0, 0,-1, 0, 1)P P DBL 2P 1 4P 8P -1 10 100 1000 16P 10000 SUB 15P 10001 30P 100010 60P ADD Q = 61P

24 AMV method In many elliptic curve based systems,
we compute kP for a randomly chosen k. [Agnew, Mullin, Vanstone 93] Choose special k’s that have small HW(k) to reduce the number of additions. Specifically, generate random k’s of length m in a binary form with HW(k) = w for a fixed small w. One can control the Hamming weight, and thus the number of additions.

25 AMV method Example: m = 8, w = 3 k = (1, 0, 1, 0, 0, 0, 0, 1)
0. Initially, there are 8 empty bits. 1. Choose 3 random positions for ‘1’. 2. Set them as ‘1’ and others as ‘0’. For kP, we need 7 doublings and 2 additions. k = (1, 0, 1, 0, 0, 0, 0, 1)

26 Representation of Points
Affine coordinates A finite point is specified by two elements x, y in GF(q). The point at infinite O has no affine coordinates. For internal computation O = (0,0) for GF(2m) and GF(p), b0 = (0,1) for GF(p), b=0 Projective coordinates 나눗셈 회피방법 A finite point is specified by three elements X, Y, and Z X = x, Y = y, Z = 1 x = X/Z2, y = Y/Z3 Not unique because (X,Y,Z) = (2X, 3Y, Z) for every nonzero  The point at infinity : O = (2, 3, 0) where 0

27 Coordinates System Affine y2 + xy = x3 + ax2 + b
Standard Projective (X:Y:Z) <-> (X/Z, Y, Z) = (x, y) Jacobian Projective (X:Y:Z) <-> (X/Z2, Y/Z3) = (x, y) New Projective (Lopez & Dahab, 1998) (X:Y:Z) <-> (X/Z, Y/Z2) = (x, y)

28 Coordinates System M: Field Multiplication 8 S S: Field Squaring
Coordinate system EC_Add EC_Add (mix) Double Affine 1I, 2M, 1S - Standard Projective 13M, 5S 12M, 1S 7M, 5S Jacobian Projective 14M 10M, 4S 5M, 5S New Projective 13M, 6S 9M, 4S 4M, 5S M: Field Multiplication 8 S S: Field Squaring I: Field Inversion 64 – 80 S

29 Affine Elliptic Full Addition (prime case)
P2 = P0 + P1 1. If P0 = O, then P2  P1 and stop. 2. If P1 = O, then P2  P0 and stop. 3. If x0  x1, then 3.1   (y0 - y1)/(x0 - x1) mod p. 3.2 Go to step 7. 4. If y0  y1, then P2  O and stop. 5. If y1 = 0, then P2  O and stop. 6.   (3x12 + a)/(2y1) mod p. 7. x2  2 - x0 - x1 mod p. 8. y2  (x1 - x2) - y1 mod p. Required operation 3 or 4 modular multiplication 1 modular inversion To subtract the point P = (x, y), add the point –P = (x, -y).

30 Projective Elliptic Doubling(prime case)
P2 = 2P1 1. M = 3X12 + aZ14 2. Z2 = 2Y1Z1 3. S = 4X1Y12 4. X2 = M2 – 2S 5. T = 8Y14 6. Y2 = M(S – X2) - T Requirement 10 field multiplication 5 temporary variables(registers) If a is small enough 9 field multiplication If a = p-3 8 field multiplication In the case of binary field 5 squarings, 5 multiplications 4 temporary variables

31 Projective Elliptic Addition(prime case)
P2 = P0 + P1 1. U0 = X0Z12 2. S0 = Y0Z13 3. U1 = X1Z02 4. S1 = Y1Z03 5. W = U0 - U1 6. R = S0 - S1 7. T = U0 + U1 8. M = S0 + S1 9. Z2 = Z0Z1W 10. X2 = R2 - TW2 11. V = TW2 – 2X2 12. 2Y2 = VR – MW3 Requirement 16 field multiplication 7 temporary variables(registers) In the case Z1 = 1 11 field multiplication 6 temporary variables(registers) In the case of binary field 3 squarings, 10 multiplications 7 temporary variables

Download ppt "Motivation Basis of modern cryptosystems"

Similar presentations

Are standards compliant Elliptic Curve Cryptosystems feasible on RFID?

Are standards compliant Elliptic Curve Cryptosystems feasible on RFID?
1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.

1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
ECC Curve Selection By Edward Yin CS 265 Project Spring 2005.

ECC Curve Selection By Edward Yin CS 265 Project Spring 2005.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel Instructor : Barukh Ziv 1.

Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel Instructor : Barukh Ziv 1.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
Elliptic Curve Cryptography Shane Almeida Saqib Awan Dan Palacio.

Elliptic Curve Cryptography Shane Almeida Saqib Awan Dan Palacio.
Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.

Windows Core Security1© 2006 Microsoft Corp Cryptography: Helping Number Theorists Bring Home the Bacon Since 1977 Dan Shumow SDE Windows Core Security.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.

November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Summary of – “TinyECC: A Configurable Library for Elliptic Curve Cryptography in Wireless Sensor Networks” Presented by: Maulin Patel Nov/17/09 CSE291.

Summary of – “TinyECC: A Configurable Library for Elliptic Curve Cryptography in Wireless Sensor Networks” Presented by: Maulin Patel Nov/17/09 CSE291.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography.

Elliptic Curve Cryptography Jen-Chang Liu, 2004 Adapted from lecture slides by Lawrie Brown Ref: RSA Security ’ s Official Guide to Cryptography.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Electronic Payment Systems Lecture 5: ePayment Security II

Electronic Payment Systems Lecture 5: ePayment Security II
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:

CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:
ASYMMETRIC CIPHERS.

ASYMMETRIC CIPHERS.

Similar presentations

Ads by Google