Presentation is loading. Please wait.

Presentation is loading. Please wait.

橢圓曲線密碼技術 交通大學 資訊工程系 陳榮傑

Published byMaurice Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "橢圓曲線密碼技術 交通大學 資訊工程系 陳榮傑"— Presentation transcript:

1 橢圓曲線密碼技術 交通大學 資訊工程系 陳榮傑 http://www.cs.nctu.edu.tw/~rjchen/ECC2012S/

2 p2. Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm [3] Cryptosystems Based on DLP [4] Elliptic Curves [5] Elliptic Curve DLP [6] Signature Scheme: ECDSA [7] How to find secure ECs? [8] Hyperelliptic Curves [9] ID-based Cryptosystems [10] Pairing-based Cryptography

3 p3. Let G is a finite cyclic group of size n generated by generator g, i.e. G = = {g i | i = 1, 2, …, n} or {g i | i = 0, 1, …, n-1} Given g and i, it is easy to compute g i by repeated squaring Discrete logarithm problem Given, find x such that We denote [1] Discrete Logarithm Problem

4 p4. Example 1 G = Z 19 * = { 1, 2, …, 18} n=18, generator g = 2 then log 2 14 = 7 log 2 6 = 14

5 p5. Example 2 G=GF * (2 3 ) with irreducible poly. p(x)=x 3 +x+1 G=Z n * /p(x)={ 1, x, x 2, 1+x, 1+x 2, x+x 2, 1+x+x 2 } n=7, generator g = x then log x (x+1) = 3 log x (x 2 +x+1) = 5 log x (x 2 +1) = 6

6 p6. Example 3 Let p =1053546280395016975304616582933958731948871814925913 48934260873425871788357518586730038628773770557793738 29258737624519904504306613508596826974102562682711472 83034897563214300237166369174066615907176472549470083 113107138189921280884003892629359 NB: p = 158(2 800 + 25) + 1 and has 807 bits. Find x in Z, such that 2 x = 3 mod p

7 p7. [2] Algorithms for Discrete Logarithm trivial algorithm Shanks’ algorithm (Baby-step giant-step) Pollard rho discrete log algorithm Pohlig-Hellman algorithm The index calculus method*

8 p8. The index calculus method The index calculus method (Suitable only for G=Z p *)

9 p9. Example log 5 9451 mod 10007=? Choose B={2, 3, 5, 7}. Of course log 5 5=1. Use lucky exponents 4063, 5136, and 9865 5 4063 mod 10007 = 42 = 2 * 3 * 7 5 5136 mod 10007 = 54 = 2 * 3 3 5 9865 mod 10007 = 189 = 3 3 * 7 And we have three congruences: log 5 2 + log 5 3 + log 5 7 = 4063 mod 10006 log 5 2 + 3 log 5 3 = 5136 mod 10006 3 log 5 3 + log 5 7 = 9865 mod 10006

10 p10. There happens to be a unique solution modulo 10006 log 5 2=6578, log 5 3=6190, and log 5 7=1301 Choose random exponent s = 7736 and try to calculate ag s = 9451*5 7736 mod 10007 = 8400 Since 8400 = 2 4 *3*5 2 *7 factors over B, we obtain log 5 9451 = (4 log 5 2 + log 5 3 + 2 log 5 5 + log 5 7 – s) mod 10006 = (4*6578 + 6190 + 2*1 +1301 – 7736) mod 10006 = 6057 mod 10006

11 p11. Complexity of Index Calculus For factoring and the discrete logarithm problem in finite fields F q * there are index calculus algorithm (implemented with Number Field Sieve technique) These have subexponential complexity O(exp(c(lnN) 1/3 (lnlnN) 2/3 ))

12 p12. [3] Cryptosystems based on DL Key Distribution Diffie-Hellman, 1976 Encryption Massey-Omura cryptosystem, 1983 Digital Signature ElGamal, 1985

13 p13. Diffie-Hellman Key Exchange Algo Global Public Elements q : prime number α: α< q and α is a primitive root of q User A Key Generation Select private X A : X A < q Calculate public Y A : Y A = α XA mod q User B Key Generation Select private X B : X B < q Calculate public Y B : Y B = α XB mod q Generation of Secret Key by User A K = (Y B ) XA mod q Generation of Secret Key by User B K = (Y A ) XB mod q

14 p14. User AUser B Generate random X A < q ; Calculate Y A = α XA mod q Calculate K = (Y B ) XA mod q Generate random X B < q ; Calculate Y B = α XB mod q Calculate K = (Y A ) XB mod q YAYA YBYB Diffie-Hellman Key Exchange

15 p15. Massey-Omura for message transmission Parameters q : prime number e : a random private integer 0 < e < q and gcd ( e, q-1) = 1 d : an inverse of e d = e -1 mod q-1, i.e., de ≡ 1 mod q-1 M : a message to be encrypted and decrypted User A wants to send a message M to User B User A : e A and d A are both private User B : e B and d B are both private

16 p16. User AUser B 1.Encryption(1) C 1 = M eA mod q 3.Encryption(3) C 3 = C 2 dA = (M eAeB ) dA = M eB mod q 2.Encryption(2) C 2 = C 1 eB = M eAeB mod q 4. Decryption M = C 3 dB = M eBdB mod q Massey-Omura for message transmission C1C1 C2C2 C3C3

17 p17. ElGamal signature scheme 1985 ElGamal Parameters p : a large prime α: a primitive number in GF(p) x : a private key, x [1, p-1] y : a public key, y = α x (mod p) m : a message to be signed, m [1, p-1] k : a random integer that is privately selected, k [0, p-2] Signature r = α k mod p m = ks + rx mod φ(p),where GCD( k, φ(p) ) = 1 ( m, (r,s) ) is sent to the verifier Verification α m = r s y r mod p The signature (r,s) is accepted when the equality holds true.

18 p18. ElGamal encryption scheme Parameters p : a large prime α: a primitive number in GF(p) a : a private key, a [1, p-1] β : a public key, β = α a (mod p) m : a message to be signed, m [1, p-1] k : a random integer that is privately selected, k [0, p-2] K = (p, α, a, β) : public key + private key Encryption e K (m, k)=(y 1, y 2 ) where y 1 = α k mod p and y 2 =mβ k mod p Decryption m = d K (y 1, y 2 ) = y 2 (y 1 a ) -1 mod p

19 p19. (x P+Q, y P+Q ) [4] Elliptic Curves Over Fields of Characteristic p>3 Curve form E: Y 2 = X 3 + aX + b where a, b  F q, q = p n 4a 3 +27b 2 ≠0 Group operation given P 1 (x 1,y 1 ) and P 2 (x 2,y 2 ) compute P 3 (x 3,y 3 ) = P 1 +P 2

20 p20. Example: P -P Q P+Q Example of EC over GF(p)

21 p21. Addition (P 1  P 2 ) Doubling (P 1 =P 2 ) Computational Cost I + 3 M Computational Cost I + 4 M

22 p22. Over Fields of Characteristic 2 Curve form E: Y 2 + XY = X 3 + aX 2 + b where a, b  F q, b≠0, q = 2 n Group operation given P 1 (x 1,y 1 ) and P 2 (x 2,y 2 ) compute P 3 (x 3,y 3 ) = P 1 +P 2

23 p23. Example of EC over GF(2 m )

24 p24. Addition (P 1  P 2 ) Doubling (P 1 =P 2 ) Computational Cost I + 2 M + S Computational Cost I + 2 M + S

25 p25. [5] Elliptic Curve DLP Basic computation of ECC Q = kP = where P is a curve point, k is an integer Strength of ECC Given curve, the point P, and kP It is hard to recover k - Elliptic Curve Discrete Logarithm Problem (ECDLP)

26 p26. Security of ECC versus RSA/ElGamal Elliptic curve cryptosystems give the most security per bit of any known public-key scheme. The ECDLP problem appears to be much more difficult than the integer factorisation problem and the discrete logarithm problem of Z p. (no index calculus algo!) The strength of elliptic curve cryptosystems grows much faster with the key size increases than does the strength of RSA.

27 p27. Elliptic Curve Security Symmetric Key Size (bits) RSA and Diffie-Hellman Key Size (bits) Elliptic Curve Key Size (bits) 801024160 1122048224 1283072256 1927680384 25615360521 NIST Recommended Key Sizes

28 p28. ECC Benefits ECC is particularly beneficial for application where: computational power is limited (wireless devices, PC cards) integrated circuit space is limited (wireless devices, PC cards) high speed is required. intensive use of signing, verifying or authenticating is required. signed messages are required to be stored or transmitted (especially for short messages). bandwidth is limited (wireless communications and some computer networks).

29 p29. [6] Signature Scheme: ECDSA Digital Signature Algorithm (DSA) Proposed in 1991 Was adopted as a standard on December 1, 1994 Elliptic Curve DSA (ECDSA) FIPS 186-2 in 2000

30 p30. Digital Signature Algorithm (DSA) Let p be a L-bit prime such that the DL problem in Z p * is intractable, and let q be a 160-bit prime that divides p-1. Let α be a q th root of 1 modulo p. Define K={ (p,q,α,a,β): β=α a mod p } p,q,α,β are the public key, a is private L=0 mod 64, 512≤L≤1024

31 p31. For a (secret) random number k, define sig (x,k)=(γ,δ), where γ=(α k mod p) mod q and δ=(SHA-1(x)+aγ)k -1 mod q For a message (x,(γ,δ)), verification is done by performing the following computations: e 1 =SHA-1(x)*δ -1 mod q e 2 =γ*δ -1 mod q ver(x,(γ,δ))=true iff. (α e 1 β e 2 mod p) mod q=γ

32 p32. Elliptic Curve DSA Let p be a prime, and let E be an elliptic curve defined over F p. Let A be a point on E having prime order q, such that DL problem in is infeasible. Define K={ (p,q,E,A,m,B): B=mA } p,q,E,A,B are the public key, m is private

33 p33. For a (secret) random number k, define sig k (x,k)=(r,s), where kA=(u,v), r=u mod q and s=k -1 (SHA-1(x)+mr) mod q For a message (x,(r,s)), verification is done by performing the following computations: i=SHA-1(x)*s -1 mod q j=r*s -1 mod q (u,v)=iA+jB ver(x,(r,s))=true if and only if u mod q=r

34 p34. [7] How to find secure elliptic curves ? (1) Randomly choose a, b, p and calculate #Elliptic curve (y 2 =x 3 +ax+b) until #E = a prime q, where #E is calculate by using Schoof-Elkies- Atkin algorithm (2) (Complex multiplication method) Given a big prime q, find p, a, b such that #Elliptic curve (y 2 =x 3 +ax+b) = q

35 p35. [8] Hyperelliptic Curves 1. Definition of HC 2. Example of HC (rational points of HC do not form a group) 3. Divisor 4. Jacobian (Jacobian is a group) 5. HCDLP

36 p36. Definitions of hyperelliptic curves A hyperelliptic curve C of genus g over a finite field K (g ≧ 1) C : y 2 + h(x)y = f(x) where h(x) ∈ K[x] is a polynomial of degree at most g, f(x) ∈ K[x] is a monic polynomial of degree 2g+1. Elliptic curves are hyperelliptic curves of genus 1.

37 p37. Group law in an elliptic curve y 2 =x 3 -x over R ? -R P+Q= P Q R P Q R -R

38 p38. Example: Hyperelliptic curve A genus 2 hyperelliptic curve over R: C: y 2 = x 5 -5x 3 + 4x = x(x+1)(x-1)(x+2)(x-2) The rational points on C do not form a group.

39 p39. Divisors Definition : (divisor, degree) A divisor D is a formal sum of points in C: The degree of D, The set of all divisors, denoted D, forms an additive group under the addition rule: D 0 (K) is the subgroup of all divisors defined over K and of degree 0. D 1 =2P 1 +P 2 -3∞ D 2 = P 1 +P 3 deg(D 1 ) =2+1-3=0 deg(D 2 ) =1+1=2 D 1 +D 2 =3P 1 +P 2 +P 3 -3∞

40 p40. Principal divisor Definition : (principal divisors) Let R ∈ K(C) be a rational function. The divisor of R is called a principal divisor : In fact, degree of a principal divisor is 0. The set of all principal divisors, denoted P(K), is a subgroup of D 0 (K). C: y 2 = x 5 -5x 3 + 4x x-1 Q 1 =(1, 0) on C div(x-1) = 2Q 1 -2∞

41 p41. Jacobian Definition: (Jacobian) The quotient group J C (K) = D 0 /P is called the Jacobian of the curve C. If D 1, D 2 ∈ D 0 and D 1 -D 2 ∈ P, then D 1 and D 2 are said to be equivalent divisors; we write D 1 ~D 2.

42 p42. Group law in HC A genus 2 hyperelliptic curve over R: C: y 2 = x 5 -5x 3 + 4x y=a 3 x 3 +a 2 x 2 +a 1 x+a 0 P1P1 P2P2 P4P4 ? P3P3 P5’P5’ P6’P6’ P6P6 P5P5 x-x 5 =0 x-x 6 =0

43 p43. HCDLP HCDLP: (hyperelliptic curve discrete logarithm problem) Let a divisor D 1 in J C (F q ) with known order N, and D 2 in To find an integer λ s.t. D 2 = λD 1 is hard.

44 p44. [9] ID-based Cryptosystem Private Key Generator (PKG) BobAlice Authentication (ID Bob ) KR IDBob (params, ID Bob )KR IDBob ID Bob is arbitrary and meaningful ex: Bob@hotmail.comBob@hotmail.com or 0912345678 Setup generate params and master key Extract generate KR IDBob by ID Bob and master key Encrypt Verify or Decrypt Sign or

45 p45. Certificate-based Cryptosystem Certificate Authority (CA) BobAlice Authentication (KU Bob ) Certificate(Bob, KU Bob ) Encrypt KU Bob Decrypt KR Bob KU Bob is random VerifySign or

46 p46. ID-based Encryption Scheme Proposed by Boneh and Franklin (Crypto 2001) First complete and efficient scheme Bilinear Pairing G 1 : additive group generated by P, ord(P)=q G 2 : multiplicative group with same order q Assume that DLP in G 1 and G 2 are hard Let e: G 1 xG 1  G 2 satisfies: 1. Bilinear: e(P 1 +P 2,Q)=e(P 1,Q)e(P 2,Q) e(P,Q 1 +Q 2 )=e(P,Q 1 )e(P,Q 2 ) 2. Non-degenerate:  P,Q  G 1, s.t e(P,Q)  1 3. Computability Bilinear Diffie-Hellman (BDH) Assumption Given P, aP, bP, cP  G 1, compute e(P, P) abc is HARD!

47 p47. ID-based Encryption Scheme ID-based Encryption Setup: (1) Choose P  E/F p of order q (2) Pick a random s  Z q * and set P pub = sP (3) Two hash functions: H 1 : {0,1} *  G* 1 (MapToPoint) H 2 : G 2  {0,1} n for some n Extract: Given a ID  {0,1}*, build private key S ID as follows: Q ID = H 1 (ID) Set d ID =sQ ID, where s is the master key System: k-bit prime p p=2 mod 3, p=6q-1 E: y 2 =x 3 +1 over F p Params: Master-key: s

48 p48. Encrypt: Use MapToPoint to map ID to Q ID choose a random r  Z q * C = Decrypt: Let C=, if U is not a point of order q then reject M = V  H 2 (e(d ID, U)) e(d ID, U)= e(sQ ID, rP)= e(Q ID, P) sr = e(Q ID, sP) r = e(Q ID, P pub ) r d ID =sQ ID P pub =sP ID-based Encryption Scheme

49 p49. (Def) Weil pairing where is called the m-torsion group, U m is the group of the mth roots of unity Given P, Q  E [m],  D P, D Q  Div 0 such that D P ~ (P) – (O) and D Q ~ (Q) – (O). Also,  f P, f Q such that div (f P ) = m D P and div (f Q ) = m D Q. Suppose supp (D P )  supp (D Q ) =  Then Weil Pairing

50 p50. End-to-end security for SMS (short message service) RSA Mechanism

51 p51. ID-based Mechanism End-to-end security for SMS

52 p52. [10] Pairing-based Cryptography 1. Implementation of Pairings Bilinear paring e: G 1 x G 2  G T G 1, G 2 : prime-order subgroups of an elliptic curve E over GF(q k ) G T : prime-order subgroup of GF(q k )* k is the embedding degree of E (w.r.t. r=#E(GF(q))) k is the smallest positive integer s.t. r | q k - 1

53 p53. Various pairings: Weil pairing Tate pairing Eta pairing Ate pairing Generalized Ate pairing

54 p54. 2. Use of parings in cryptography Attack on ECDLP (MOV attack) One-round 3-way key exchange (Joux) IDE (Boneh-Franklin) Short digital signature (Boneh-Lynn-Shacham) Other applications: Group signatures, Bach signatures, aggregate signatures, threshold cryptography, authenticated encryption, broadcast encryption, etc.

55 p55. 3. Constructing pairing-friendly curves Want k large enough so that DLP in GF(qk)* is computational infeasible, but small enough so that pairing is easy to compute. Cock-Pinch strategy MNT strategy Dupon-Enge-Morain strategy * Brezing-Weng strategy Scott-Barreto strategy

Download ppt "橢圓曲線密碼技術 交通大學 資訊工程系 陳榮傑"

Similar presentations

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
7. Asymmetric encryption-

7. Asymmetric encryption-
ECC Curve Selection By Edward Yin CS 265 Project Spring 2005.

ECC Curve Selection By Edward Yin CS 265 Project Spring 2005.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.

YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.

Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )

Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’

1 Cryptosystems Based on Discrete Logarithms. 2 Outline [1] Discrete Logarithm Problem [2] Algorithms for Discrete Logarithm –A trivial algorithm –Shanks’
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
Introduction to Modern Cryptography Homework assignments.

Introduction to Modern Cryptography Homework assignments.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
20-763 ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems 20-763 Lecture 6 Epayment Security II.

ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:

CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:
Cryptography and Network Security Chapter 13

Cryptography and Network Security Chapter 13
Public Key Model 8. Cryptography part 2.

Public Key Model 8. Cryptography part 2.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.

1 CIS 5371 Cryptography 8. Asymmetric encryption-.

Similar presentations

Ads by Google