310 likes | 321 Views
Security of 160-bit ECDLP. 2006 SNU-KMS Winter Workshop on Cryptography 서울대학교 수학연구소 IS a C 선 동 규 (sdk1496@math.snu.ac.kr). “ 공개키 암호시스템 초고속 해독법 발견 ”
E N D
Security of 160-bit ECDLP 2006 SNU-KMS Winter Workshop on Cryptography 서울대학교 수학연구소 ISaC 선 동 규 (sdk1496@math.snu.ac.kr)
“공개키 암호시스템 초고속 해독법 발견” 공인인증서 등에서 흔히 쓰이는 암호화 방식 중 최근 각광 받고 있는 ‘변형된 디피-헬만 문제(Diffie-Hellman Problem)’가 예상만큼 안전하지 않다는 사실이 국내 수학자에 의해 증명돼 주목 받고 있다. 미국에서 표준으로 채택된 이 방식의 암호는 보완이 불가피해졌다. 서울대 수리과학부 천정희교수는 예상보다 100만~10억배 빠르게 암호를 해독할 수 있는 알고리즘을 개발…. ‘유로크립트(유럽암호학회) 2006’개막강연… 천 교수는 “이는 일반 PC 10여대로 수만년 걸릴 것으로 예상했던 문제를 몇 달이면 풀 수 있다는 의미”라며 “현재 개발된 160비트 크기의 열쇠는 최소한 220비트로 보완해야 한다”고 말했다. 2006 SNU-KMS Winter Workshop on Cryptography
Motivations In EUROCRYPT’06, Cheon’s Attack Cheon’s Questions 1. Distribution of Secure Primes 2. Finding Elliptic Curve Parameters of the Secure Prime Order → The Secure prime is very rare! → Previous Works: The generating algorithm of elliptic curves of the secure order are not known! 2006 SNU-KMS Winter Workshop on Cryptography
Elliptic Curve Elliptic Curve:E(Fq)={(x, y): y2=x3+ax+b}∪O where q=pm(p>3), O (point at infinity) Hesse bound: For an integer t with #E(Fq)=q+1-t, |t|≤2√q.( t : trace of E→E ) Theorem (Arkin-Morain):Let q be a prime power such that t2 - Ds2 = 4q(CM-equation) for some t, s inZ. Then there is an elliptic curve E over Fq such that #E(Fq) = q + 1 - t. 2006 SNU-KMS Winter Workshop on Cryptography
Related Problems Discrete Logarithm (DL) Problem : Find α∈ Z from (g, gα) Computational Diffie-Hellman (CDH) Problem : Given (g, gα, gβ), compute gαβ Decisional Diffie-Hellman (DDH) Problem : Given (g, gα, gβ , gγ), decide whether γ=αβ in Zr l-weak Diffie-Hellman (l-WDH) Problem : Let g be an element of prime order r in an abelian group G. Given g and gαi in G for i=1,2,…, l, compute g1/α 2006 SNU-KMS Winter Workshop on Cryptography
SDH Problem Definition. (l-Strong Diffie-Hellman (SDH) Problem) Let g be an element of prime order r in an abelian group G. Given g and gαi in G for i=1,2,…, l, compute gαl+1 • Scheme based on l-SDH: • Traitor Tracing [MSK’02] • Short Signature without Random Oracle [BB’04] • Short Group Signature [BBS’04] • Scheme related with the bilinear maps 2006 SNU-KMS Winter Workshop on Cryptography
Cheon’s Results Theorem. Let g be an element of prime order r in an abelian group and α∈Zr. (1) If g, gα and gαd are given for a positive divisor d of r-1, then compute the secret α in O((log2r)∙(√ r/d +√d )) group operations using O(max{√ r/d, √d}) memory. (2) If gαi(i = 0, 1, 2, …, d) are provided for a positive divisor d of r + 1, α can be computed in O((log2r)∙(√ r/d +√d )) group operations using O(max{√ r/d, √d}) memory. 2006 SNU-KMS Winter Workshop on Cryptography
Circumvention of Cheon’s Attack Secure prime for SDH assumption: r-1 and r+1 have no small divisor greater than (log2r)2 d =(log2r)2 O( (log2r)· (√r/d+√d ) )= O(√r ) = Baby-Step Giant-Step Minimized Security Loss! 2006 SNU-KMS Winter Workshop on Cryptography
Applications • Scheme based on DH assumptions: • Boldyreva’s Blind Signature • - (Sk,Pk)=(x,xP), Sign(M)=xM • - Query to a Signing Oracle to get xP, x2P, x3P,… • Original EC-ElGamal Encryption Scheme • - Query to Decryption Oracle • Its variants for generic groups • Non-pairing-based scheme 2006 SNU-KMS Winter Workshop on Cryptography
δ-Secure Prime Definition. For δ is a positive real number with δ≤2, a prime r is a δ -Secure Prime if r-1 and r+1 have no small divisor greater than (log2r)δ. (log2r)δ=12 Example. When δ =0.48, 163-bit δ -secure prime r r=5848710077240775860431568621733041958929192821429 r-1=22*3*487392506436731321702630718477753496577432735119 r+1=2*5*584871007724077586043156862173304195892919282143 2006 SNU-KMS Winter Workshop on Cryptography
Not Secure Prime Orders(NIST) B-163: r − 1 = 2 · 53 · 383 · 21179· (a 132 bit prime) K-163: r − 1 = 24· 43 · 73· (a 16 bit prime) · (an 18 bit prime) · (a 112 bit prime), P-192: r−1 = 24· 5 · 2389· (an 83 bit prime) · (a 92 bit prime) = d If the parameter l is less than 83 bits then P-192 gives the smallest security loss, that is about 8 bits. 2006 SNU-KMS Winter Workshop on Cryptography
Distribution of δ-Secure Primes Theorem. Let r be an n-bit integer and δ a positive real number. Then the probability Pn,δ that a δ-secure prime r exists in the interval [2n-1, 2n] is Corollary. Let r be an n-bit prime and δ a positive real number. Then the probability P'n,δ that a δ-secure prime r exists in the interval [2n-1, 2n] is 2006 SNU-KMS Winter Workshop on Cryptography
Distribution(integer) 3/100000 2006 SNU-KMS Winter Workshop on Cryptography
Distribution(prime) 3.5/1000 2006 SNU-KMS Winter Workshop on Cryptography
(참고)인수분해 알고리즘에 강한 RSA 모듈 N=p·q 분포 정의:n이B-smooth정수⇔n을 인수분해 했을 때,모든 인수가 B보다 작거나 같은 수 B=270과 B=2100고정 n=1024 고정(n: p의 비트 사이즈) Pn,B Pn,B 270 230 250 270 256 2100 512 2100 B 768 1024 n p-1이 B-smooth 하지 않을 확률 PB,n= 2006 SNU-KMS Winter Workshop on Cryptography
Embedding Degree and Pairings Definition: Let E be an elliptic curve defined over a finite field Fq, let n be a prime dividing #E(Fq). The embedding degree of E with respect to n is the smallest integer k such that n divides qk-1. Definition: e is an admissible bilinear map if e : G×G→ur is a map with the following properties: Bilinear : e(aP, bQ)=e(P, Q)ab for all P, Q ∈ G all and a, b∈Z. Non-degenerate : The map does not send all pairs in G×G to the identity in ur. Computable : There is an efficient algorithm to compute e(P, Q) for any P, Q∈G. Wiel Pairing, Tate Pairing 2006 SNU-KMS Winter Workshop on Cryptography
MNT Elliptic Curves Miyaji, Nakabayashi and Takano describe an explicit construction for the generation of non-supersingular curves E(Fq) of prime order n = r, which have embedding degree k∈{3, 4, 6} Table. MNT families where m∈Z (i.e., n(m)=q(m)+1-t(m)) 2006 SNU-KMS Winter Workshop on Cryptography
“Ideal” MNT Curves(k=6) 163-bit prime: q= 6409832084579048520099972164544618793148521015057 r= 6409832084579048520099969632780000077765548633973 r-1=22*3*132*17*19*127*24547*3980989346183009*788466091160194011953 r+1=2*37*3790483*14945389753628693*1529019888389618299300529 203-bit prime: q=11506342200507419944712629983550634419750044725742499551984401 r=11506342200507419944712629983554026519719165243856819623393781 r-1=22*3*5*7*13*17*103*359*998629*1363273*4185203430271*34610792791540585002296483 r+1=2*37*191*5974482193802803*7770368549705170081*17535990835850189689211 224-bit prime: q=15028799613985034465755506450771565229282832217860390155996483840017 r=15028799613985034465755506450771561352583254744125520639296541195021 r-1=22*32*5*7*11*1699*15643*19813*411507563*559580981*24277451563*368343946437800525467643 r+1=2*775604342767*26061718685227759*371750031020198631474271863664446840487 2006 SNU-KMS Winter Workshop on Cryptography
Example: δ=2 (k=6 ) q= 1987128741927578902489429421835861737096155304448105545506631807380226525953 a= 5 b=1084652149421444753645298441525041288785580720041067043777559765208796778648 n= 1987128741927578902489429421835861737176518034685850899457199391979989928964 =h*r (r: 229-bit prime) r=475623138901580130362902894395971835258963978174417417224244866613943 r -1=2*32*43*614500179459405853182045083198930019714423744411392011917629026633 r+1=23*7*13*53*12326952594380575636608513746526327888735330141364747491816423041 2006 SNU-KMS Winter Workshop on Cryptography
Heuristic Estimation of MNT Curves of δ-Secure Prime Order Theorem.Let E(z) be the number of all MNT curves of prime cardinalities with CM discriminant D up to z i.e, D≤z. Then E(z) is bounded, by the order of magnitude, E(z) ≤ z1/2 +o(1). Corollary.Let En,δ(z) be the number of MNT elliptic curves with δ-secure prime order for which minimize security loss of SDH problem. Then we have 2006 SNU-KMS Winter Workshop on Cryptography
Supersingular Curve Cases Table.Some cryptographically interesting supersingular curves Type1.r-1 is not prime, P'n,δ Type2.n=r, r-1=2m±2(m+1)/2=(2(m+1)/2)(2(m-1)/2±1) Type3.Similarly, Type 2 At least (m+1)/2+1 small factors 2006 SNU-KMS Winter Workshop on Cryptography
Comparison of MNT Curves and Supersingular Curves Theorem.The probability for which supersingular curves have a δ-secure prime order r with r≥2160 is less than a half of the case of MNT curves. 2006 SNU-KMS Winter Workshop on Cryptography
Additional Conditions of Suitable Orders C1. The order ris larger than or equal to 160-bitsprime (To avoid the attack ofPohlig-Hellman) C2. The order r must not be equal to pm (To avoid the attack ofAnomalous Curve) C3. For k with 1≤k≤20, pkm≡ 1 (mod r) (To avoid the attack ofMOV) C4. Both of r-1 and r+1 have no small divisor greater than (log2r)2 (To avoid the attack of Cheon) Need New Condition! 2006 SNU-KMS Winter Workshop on Cryptography
Elliptic Curves of δ-Secure Prime Order over Prime Fields q=1461501637330902918203684832716283019655932516379 r=1461501637330902918203682654413485841118949364299 r-1=2*32*81194535407272384344649036356304768951052742461 r+1=22*52*11*40985465406979146272454375354257897396341908947 a=1320713817727910806615270868261881317662544227393 b=1138777598991849512965595845850697706996563746508 x= 1 y= 549806757414320286658864847169909729482349989678 2006 SNU-KMS Winter Workshop on Cryptography
Example(EC/OEF) q=42949642215 r=1461496405497003021352964067875893222055185446431 r-1=2*5*146149640549700302135296406787589322205518544643 r+1=25*3*15223920890593781472426709040373887729741515067 a=3580667296z4 + 2493431353z3 + 843609728z2 + 3726132906z + 4254294218 b=3818766271z4 + 3093942309z3 + 3425715966z2 + 2484088604z + 1404541405 x=3739630851z4 + 2501307813z3 + 7159606z2 + 1156651208z + 245482054 y=4145406176z4 + 793086262z3 + 3552194067z2 + 4258821373z + 2569301365 2006 SNU-KMS Winter Workshop on Cryptography
Results Table. Moreexamples ofelliptic curves with δ-secure prime order and the running time. 2006 SNU-KMS Winter Workshop on Cryptography
Contributions First, For n ≥ 160 give the distribution of primes r in the interval [2n-1, 2n] which minimize the security loss, that is, r±1 have no small divisor greater than (log2 r)δwith 0<δ≤2. Second, In the case of MNT elliptic curves, (1) find only one MNT elliptic curve of δ-secure prime (δ=2) order with |D|<107. (2) Show such curves are very rare by comparing with supersingular elliptic curves. One can use schemes based SDH problem or related-DHP with elliptic curves of the minimized security loss, not extending the size of keys! Third, In the non-pairing-based, (1) give elliptic curve (with prime order) parameters for which the security loss of DHP is minimized over OEFs. (2) Estimate the number of elliptic curves with δ-secure prime order. 2006 SNU-KMS Winter Workshop on Cryptography