1 / 31

Security of 160-bit ECDLP

Security of 160-bit ECDLP. 2006 SNU-KMS Winter Workshop on Cryptography 서울대학교 수학연구소 IS a C 선 동 규 (sdk1496@math.snu.ac.kr). “ 공개키 암호시스템 초고속 해독법 발견 ”

jgoslin
Download Presentation

Security of 160-bit ECDLP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security of 160-bit ECDLP 2006 SNU-KMS Winter Workshop on Cryptography 서울대학교 수학연구소 ISaC 선 동 규 (sdk1496@math.snu.ac.kr)

  2. “공개키 암호시스템 초고속 해독법 발견” 공인인증서 등에서 흔히 쓰이는 암호화 방식 중 최근 각광 받고 있는 ‘변형된 디피-헬만 문제(Diffie-Hellman Problem)’가 예상만큼 안전하지 않다는 사실이 국내 수학자에 의해 증명돼 주목 받고 있다. 미국에서 표준으로 채택된 이 방식의 암호는 보완이 불가피해졌다. 서울대 수리과학부 천정희교수는 예상보다 100만~10억배 빠르게 암호를 해독할 수 있는 알고리즘을 개발…. ‘유로크립트(유럽암호학회) 2006’개막강연… 천 교수는 “이는 일반 PC 10여대로 수만년 걸릴 것으로 예상했던 문제를 몇 달이면 풀 수 있다는 의미”라며 “현재 개발된 160비트 크기의 열쇠는 최소한 220비트로 보완해야 한다”고 말했다. 2006 SNU-KMS Winter Workshop on Cryptography

  3. Motivations In EUROCRYPT’06, Cheon’s Attack Cheon’s Questions 1. Distribution of Secure Primes 2. Finding Elliptic Curve Parameters of the Secure Prime Order → The Secure prime is very rare! → Previous Works: The generating algorithm of elliptic curves of the secure order are not known! 2006 SNU-KMS Winter Workshop on Cryptography

  4. Elliptic Curve Elliptic Curve:E(Fq)={(x, y): y2=x3+ax+b}∪O where q=pm(p>3), O (point at infinity) Hesse bound: For an integer t with #E(Fq)=q+1-t, |t|≤2√q.( t : trace of E→E ) Theorem (Arkin-Morain):Let q be a prime power such that t2 - Ds2 = 4q(CM-equation) for some t, s inZ. Then there is an elliptic curve E over Fq such that #E(Fq) = q + 1 - t. 2006 SNU-KMS Winter Workshop on Cryptography

  5. Minimized Security Loss of SDH

  6. Related Problems Discrete Logarithm (DL) Problem : Find α∈ Z from (g, gα) Computational Diffie-Hellman (CDH) Problem : Given (g, gα, gβ), compute gαβ Decisional Diffie-Hellman (DDH) Problem : Given (g, gα, gβ , gγ), decide whether γ=αβ in Zr l-weak Diffie-Hellman (l-WDH) Problem : Let g be an element of prime order r in an abelian group G. Given g and gαi in G for i=1,2,…, l, compute g1/α 2006 SNU-KMS Winter Workshop on Cryptography

  7. SDH Problem Definition. (l-Strong Diffie-Hellman (SDH) Problem) Let g be an element of prime order r in an abelian group G. Given g and gαi in G for i=1,2,…, l, compute gαl+1 • Scheme based on l-SDH: • Traitor Tracing [MSK’02] • Short Signature without Random Oracle [BB’04] • Short Group Signature [BBS’04] • Scheme related with the bilinear maps 2006 SNU-KMS Winter Workshop on Cryptography

  8. Cheon’s Results Theorem. Let g be an element of prime order r in an abelian group and α∈Zr. (1) If g, gα and gαd are given for a positive divisor d of r-1, then compute the secret α in O((log2r)∙(√ r/d +√d )) group operations using O(max{√ r/d, √d}) memory. (2) If gαi(i = 0, 1, 2, …, d) are provided for a positive divisor d of r + 1, α can be computed in O((log2r)∙(√ r/d +√d )) group operations using O(max{√ r/d, √d}) memory. 2006 SNU-KMS Winter Workshop on Cryptography

  9. Circumvention of Cheon’s Attack Secure prime for SDH assumption: r-1 and r+1 have no small divisor greater than (log2r)2 d =(log2r)2 O( (log2r)· (√r/d+√d ) )= O(√r ) = Baby-Step Giant-Step Minimized Security Loss! 2006 SNU-KMS Winter Workshop on Cryptography

  10. Applications • Scheme based on DH assumptions: • Boldyreva’s Blind Signature • - (Sk,Pk)=(x,xP), Sign(M)=xM • - Query to a Signing Oracle to get xP, x2P, x3P,… • Original EC-ElGamal Encryption Scheme • - Query to Decryption Oracle • Its variants for generic groups • Non-pairing-based scheme 2006 SNU-KMS Winter Workshop on Cryptography

  11. δ-Secure Prime Definition. For δ is a positive real number with δ≤2, a prime r is a δ -Secure Prime if r-1 and r+1 have no small divisor greater than (log2r)δ. (log2r)δ=12 Example. When δ =0.48, 163-bit δ -secure prime r r=5848710077240775860431568621733041958929192821429 r-1=22*3*487392506436731321702630718477753496577432735119 r+1=2*5*584871007724077586043156862173304195892919282143 2006 SNU-KMS Winter Workshop on Cryptography

  12. Not Secure Prime Orders(NIST) B-163: r − 1 = 2 · 53 · 383 · 21179· (a 132 bit prime) K-163: r − 1 = 24· 43 · 73· (a 16 bit prime) · (an 18 bit prime) · (a 112 bit prime), P-192: r−1 = 24· 5 · 2389· (an 83 bit prime) · (a 92 bit prime) = d If the parameter l is less than 83 bits then P-192 gives the smallest security loss, that is about 8 bits. 2006 SNU-KMS Winter Workshop on Cryptography

  13. Distribution of δ-Secure Primes Theorem. Let r be an n-bit integer and δ a positive real number. Then the probability Pn,δ that a δ-secure prime r exists in the interval [2n-1, 2n] is Corollary. Let r be an n-bit prime and δ a positive real number. Then the probability P'n,δ that a δ-secure prime r exists in the interval [2n-1, 2n] is 2006 SNU-KMS Winter Workshop on Cryptography

  14. Distribution(integer) 3/100000 2006 SNU-KMS Winter Workshop on Cryptography

  15. Distribution(prime) 3.5/1000 2006 SNU-KMS Winter Workshop on Cryptography

  16. (참고)인수분해 알고리즘에 강한 RSA 모듈 N=p·q 분포 정의:n이B-smooth정수⇔n을 인수분해 했을 때,모든 인수가 B보다 작거나 같은 수 B=270과 B=2100고정 n=1024 고정(n: p의 비트 사이즈) Pn,B Pn,B 270 230 250 270 256 2100 512 2100 B 768 1024 n p-1이 B-smooth 하지 않을 확률 PB,n= 2006 SNU-KMS Winter Workshop on Cryptography

  17. Pairing-Based Elliptic Curves with δ-Secure Prime Order

  18. Embedding Degree and Pairings Definition: Let E be an elliptic curve defined over a finite field Fq, let n be a prime dividing #E(Fq). The embedding degree of E with respect to n is the smallest integer k such that n divides qk-1. Definition: e is an admissible bilinear map if e : G×G→ur is a map with the following properties: Bilinear : e(aP, bQ)=e(P, Q)ab for all P, Q ∈ G all and a, b∈Z. Non-degenerate : The map does not send all pairs in G×G to the identity in ur. Computable : There is an efficient algorithm to compute e(P, Q) for any P, Q∈G. Wiel Pairing, Tate Pairing 2006 SNU-KMS Winter Workshop on Cryptography

  19. MNT Elliptic Curves Miyaji, Nakabayashi and Takano describe an explicit construction for the generation of non-supersingular curves E(Fq) of prime order n = r, which have embedding degree k∈{3, 4, 6} Table. MNT families where m∈Z (i.e., n(m)=q(m)+1-t(m)) 2006 SNU-KMS Winter Workshop on Cryptography

  20. “Ideal” MNT Curves(k=6) 163-bit prime: q= 6409832084579048520099972164544618793148521015057 r= 6409832084579048520099969632780000077765548633973 r-1=22*3*132*17*19*127*24547*3980989346183009*788466091160194011953 r+1=2*37*3790483*14945389753628693*1529019888389618299300529 203-bit prime: q=11506342200507419944712629983550634419750044725742499551984401 r=11506342200507419944712629983554026519719165243856819623393781 r-1=22*3*5*7*13*17*103*359*998629*1363273*4185203430271*34610792791540585002296483 r+1=2*37*191*5974482193802803*7770368549705170081*17535990835850189689211 224-bit prime: q=15028799613985034465755506450771565229282832217860390155996483840017 r=15028799613985034465755506450771561352583254744125520639296541195021 r-1=22*32*5*7*11*1699*15643*19813*411507563*559580981*24277451563*368343946437800525467643 r+1=2*775604342767*26061718685227759*371750031020198631474271863664446840487 2006 SNU-KMS Winter Workshop on Cryptography

  21. Example: δ=2 (k=6 ) q= 1987128741927578902489429421835861737096155304448105545506631807380226525953 a= 5 b=1084652149421444753645298441525041288785580720041067043777559765208796778648 n= 1987128741927578902489429421835861737176518034685850899457199391979989928964 =h*r (r: 229-bit prime) r=475623138901580130362902894395971835258963978174417417224244866613943 r -1=2*32*43*614500179459405853182045083198930019714423744411392011917629026633 r+1=23*7*13*53*12326952594380575636608513746526327888735330141364747491816423041 2006 SNU-KMS Winter Workshop on Cryptography

  22. Heuristic Estimation of MNT Curves of δ-Secure Prime Order Theorem.Let E(z) be the number of all MNT curves of prime cardinalities with CM discriminant D up to z i.e, D≤z. Then E(z) is bounded, by the order of magnitude, E(z) ≤ z1/2 +o(1). Corollary.Let En,δ(z) be the number of MNT elliptic curves with δ-secure prime order for which minimize security loss of SDH problem. Then we have 2006 SNU-KMS Winter Workshop on Cryptography

  23. Supersingular Curve Cases Table.Some cryptographically interesting supersingular curves Type1.r-1 is not prime, P'n,δ Type2.n=r, r-1=2m±2(m+1)/2=(2(m+1)/2)(2(m-1)/2±1) Type3.Similarly, Type 2 At least (m+1)/2+1 small factors 2006 SNU-KMS Winter Workshop on Cryptography

  24. Comparison of MNT Curves and Supersingular Curves Theorem.The probability for which supersingular curves have a δ-secure prime order r with r≥2160 is less than a half of the case of MNT curves. 2006 SNU-KMS Winter Workshop on Cryptography

  25. Non-Pairing-Based Elliptic Curves with δ-Secure Prime Order

  26. Additional Conditions of Suitable Orders C1. The order ris larger than or equal to 160-bitsprime (To avoid the attack ofPohlig-Hellman) C2. The order r must not be equal to pm (To avoid the attack ofAnomalous Curve) C3. For k with 1≤k≤20, pkm≡ 1 (mod r) (To avoid the attack ofMOV) C4. Both of r-1 and r+1 have no small divisor greater than (log2r)2 (To avoid the attack of Cheon) Need New Condition! 2006 SNU-KMS Winter Workshop on Cryptography

  27. Elliptic Curves of δ-Secure Prime Order over Prime Fields q=1461501637330902918203684832716283019655932516379 r=1461501637330902918203682654413485841118949364299 r-1=2*32*81194535407272384344649036356304768951052742461 r+1=22*52*11*40985465406979146272454375354257897396341908947 a=1320713817727910806615270868261881317662544227393 b=1138777598991849512965595845850697706996563746508 x= 1 y= 549806757414320286658864847169909729482349989678 2006 SNU-KMS Winter Workshop on Cryptography

  28. Example(EC/OEF) q=42949642215 r=1461496405497003021352964067875893222055185446431 r-1=2*5*146149640549700302135296406787589322205518544643 r+1=25*3*15223920890593781472426709040373887729741515067 a=3580667296z4 + 2493431353z3 + 843609728z2 + 3726132906z + 4254294218 b=3818766271z4 + 3093942309z3 + 3425715966z2 + 2484088604z + 1404541405 x=3739630851z4 + 2501307813z3 + 7159606z2 + 1156651208z + 245482054 y=4145406176z4 + 793086262z3 + 3552194067z2 + 4258821373z + 2569301365 2006 SNU-KMS Winter Workshop on Cryptography

  29. Results Table. Moreexamples ofelliptic curves with δ-secure prime order and the running time. 2006 SNU-KMS Winter Workshop on Cryptography

  30. Conclusion

  31. Contributions First, For n ≥ 160 give the distribution of primes r in the interval [2n-1, 2n] which minimize the security loss, that is, r±1 have no small divisor greater than (log2 r)δwith 0<δ≤2. Second, In the case of MNT elliptic curves, (1) find only one MNT elliptic curve of δ-secure prime (δ=2) order with |D|<107. (2) Show such curves are very rare by comparing with supersingular elliptic curves. One can use schemes based SDH problem or related-DHP with elliptic curves of the minimized security loss, not extending the size of keys! Third, In the non-pairing-based, (1) give elliptic curve (with prime order) parameters for which the security loss of DHP is minimized over OEFs. (2) Estimate the number of elliptic curves with δ-secure prime order. 2006 SNU-KMS Winter Workshop on Cryptography

More Related