1 / 47

Elliptic Curve Weak Class Identification for the Security of Cryptosystem

Elliptic Curve Weak Class Identification for the Security of Cryptosystem. Intan Muchtadi, Ahmad Muchlis and Fajar Yuliawan Algebra Research Group, Institut Teknologi Bandung (ITB), Indonesia. Elliptic Curve.

alesia
Download Presentation

Elliptic Curve Weak Class Identification for the Security of Cryptosystem

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Elliptic Curve Weak Class Identification for the Security of Cryptosystem Intan Muchtadi, Ahmad Muchlis and Fajar Yuliawan Algebra Research Group, Institut Teknologi Bandung (ITB), Indonesia

  2. Elliptic Curve • In 1985 both Koblitz and Miller independently suggested the use of Elliptic Curves in the development of a new type of public key cipher. • An Elliptic Curve is a simple equation of the form: y2 = x3 +ax+b a,b in F of characteristic p  2,3 and 4a3 + 27b2 0

  3. Elliptic curve y2 = x3 − x

  4. y2 = x3 − ½x + ½

  5. y2 = x3 − 4/3x + 16/27

  6. Elliptic curve over F23 y2 = x3 + x + 1

  7. Q P P+Q Elliptic Curve Addition

  8. Multiples in Elliptic Curves 1 • The interest in Elliptic Curve Addition is the process of adding a point to itself. • That is given a point P find the point P+P or 2P. • This is done by drawing a line tangent to P and reflecting the point at which it intercepts the curve • P can be added to itself k times resulting in a point W = kP.

  9. P+P = 2P P Multiples in Elliptic Curves 1

  10. P+P = 2P 3P P Multiples in Elliptic Curves 2 • Finding the value of 3P:

  11. Discrete Logarithm Problem • A and B agree on a finite group G and some fixed element g. 2. A selects an integer x at random and transmits b = gx to B. 3. B selects an integer y at random and transmits c = gy to A. 4. A determines k = cx , B determines k = by , k is then used as the secret key.

  12. Elliptic Curve Cryptography Based on the discrete logarithm problem applied to Abelian group E(Fp) formed by the points of an elliptic curve over a finite field E(Fp)={(x,y)(Fp)²:y²=x³+ax+b}{O}

  13. Elliptic Curve Cryptosystem • There are several ways in which the ECDLP can be imbedded in a cipher system. • One method begins by selecting an Elliptic Curve and a point P on the curve and a secret number d which will be the private key. • The public key is P and Q where Q = dP • A message is encrypted by converting the plaintext into a number m, selecting a random number k, and finding a point M on the curve where the difference of the x and the y co-ordinates equals m. • the ciphertext consists of two points on the curve: (C1,C2) = (kP, M + kQ)

  14. Decipher • The secret key, d is used to decipher the ciphertext • Multiply the first point by d and subtract the result from the second point: M = C2-dC1=M+kQ –dkP= M + kdP - dkP

  15. Elliptic Curve Security • The security of the Elliptic Curve algorithm is based on the fact that it is very difficult (as difficult as factoring) to solve the Elliptic Curve Discrete Logarithm Problem: Given two points P and Q where Q = kP, find the value of k

  16. Imaginary Quadratic Orders

  17. Maximal Orders and Non-maximal Orders • If Δ is squarefree, then OΔ is the maximal order of the quadratic number field Q(√Δ) and Δ is called a fundamental discriminant. • The non-maximal order of conductor p>1 with (non-fundamental) discriminant Δp=Δp² is denoted by OΔp. Assume that the conductor p is prime. • Let IΔ = The group of invertible OΔ-ideals and • PΔ = The set of principal OΔ-ideals. • The class group of OΔ = Cl(Δ) = IΔ/PΔ is a finite abelian group with neutral element OΔ • The class number of OΔ = h(Δ) = | Cl(Δ)|.

  18. Imaginary Quadratic Orders • In 1988 Buchmann and William use the class groups of imaginary quadratic orders Cl for the construction of cryptosystem.

  19. Reducing the DLP • Huhnlein et al showed that for totally non-maximal imaginary quadratic orders (i.e., h =1), the DLP can be reduced to the DLP in some finite field.

  20. Problem • Can we find a condition for elliptic curves such that the DLP for those curves can be reduced to the DLP of some finite fields?

  21. The 1st Relation • If E is an elliptic curve over Fq, then endomorphism ring of E is an imaginary quadratic order O if and only if |E(Fq)| ≠ q+1. • Moreover, there exists a   O such that |E(Fq)| = q + 1 – ( +  ), where  is the conjugate of , and  is the Frobenius endomorphism • (x,y) = (xq,yq) for all (x,y)  E(Fq).

  22. Consequence • If q satisfies 4q=m²-Δn², for some m,nZ, then =±(m+n√Δ)/2, • As ²-t +q=0, we get t =  +  =±m. • Therefore |E(Fq)| = q +1 ± m • If m=1, then |E(Fq)| = q or q+2. • The case |E(Fq)|=q is cryptographycally weak • We consider the case where |E(Fq)|=q+2.

  23. The Result: Reducing the ECDLP Main Theorem Let q be a prime satisfies 4q=1-Δn², for some nZ, such that p=q+2 is also a prime, and let E be an elliptic curve over Fq with |E(Fq)|=p. Then the DLP in E(Fq) can be reduced to the DLP in Fp² as additive group.

  24. The method in [Huhnlein et al]

  25. The 2nd Relation

  26. Auxiliary Result

  27. The proof E(Fq)  O /(-1) O  O /pO Fp2 • given G and PE(Fq) with P=[m]G, • compute the corresponding elements +(π-1) O and +(π-1) O  O /(-1) O • compute the corresponding  +pOand  +pO O /pO • compute the corresponding elements in Fp² • Then compute the discrete logarithm there or determine that it does not exist.

  28. Conclusion • For q a prime satisfies 4q=1-Δn², for some nZ, such that p=q+2 is also a prime, the ECDLP in E(Fq) whose order is p can be reduced to the DLP in finite field of order p² as additive group.

  29. Question of Existence • How to construct such cryptographically weak curves. Answer • By using the construction of anomalous elliptic curves (i.e. where |E(Fq)|=q).

  30. Recall • If q satisfies 4q=m²-Δn², for some m,nZ, then =±(m+n√Δ)/2, • As ²-t +q=0, we get t =  +  =±m. • Therefore |E(Fq)| = q +1 ± m • If m=1, then |E(Fq)| = q or q+2.

  31. Construction of Anomalous Curves (based on [Leprevost et al]) • Step 1 : • Choose  < 0 a fundamental discriminant of an imaginary quadratic field K = Q() such that order of K has class number 1.   {-3, -4, -7, -8, -11, -19, -43, -67, -163} [Cox, Theorem 7.30]

  32. Step 1(contd) • Choose an odd prime q such that 4q = 1- n2 for an integer n. • We can show that • -  3 mod 8 (  {-3, -11, -19, -43, -67, -163} ) • q = - u(u+1)+ (- +1)/4 for some integer u

  33. Step 2 • OK = O=Z[( + )/2 • Let j(OK) be the j-invariant of OK. For class number = 1 the j-invariant is given as following [Cox, p.261]

  34. Step 3 • Choose an elliptic curve over L=K(j(OK)) with j-invariant j0 = j(OK) : • Since j(E) = 1728(4a3/(4a3+27b2)), then we can choose E: y2 = x3 + ax + b where a=3j0/(1728-j0) and b=2j0/(1728-j0)

  35. Step 4 • Reduce E to E : y2 = x3 + [a]x + [b] over Fq • We can show that |E(Fq)|{q,q+2} • If |E(Fq)|=q+2, a prime, then we’re done.

  36. Step 5 • If |E(Fq)|=q, define E’:y2=x3+d2[a]x+d3[b], where d  Fq a non-quadratic element. • |E’(Fq)| = q+2 • If q+2 is prime, then we’re done.

  37. Problem • It’s not easy to find a prime q such that • 4q = 1- n2 for an integer n • q+2 is also a prime

  38. Example • For  = -11 dan u = 257 743 850 762 632 419 871 495, • q = 11u(u + 1) +(11+1)/4 = 730 750 818 665 451 459 112 596 905 638 433 048 232 067 471 723 • j(OK)=-323

  39. Example (contd) • E: y2 = x3 + ax + b • a= 3(-323)/(1728-(-323)) =425 706 413 842 211 054 102 700 238 164 133 538 302 169 176 474 • b= 2(-323)/(1728-(-323)) = 527 387 882 116 624 522 439 332 460 655 566 708 278 801 941 557

  40. Example(contd) • #E(Fq) = q+2 BUT • q + 2 = 730 750 818 665 451 459 112 596 905 638 433 048 232 067 471 725 = 33 x 52 x 4217 x 20 016 645 573 637 x 2413 234 030 223 5314 x607 504 832 341 is not a prime

  41. Twin Prime Conjecture • There are infinitely many primes q such that q + 2 is also prime.

  42. Next? • Find examples of “weak curves”, i.e twin primes that satisfy the condition in the Main Theorem. • Does the result in this work have any relevance to the ECDLP for elliptic curves whose endomorphism ring is a totally non-maximal order?

  43. References [1] H.Baier (2002), Efficient algorithms for generating elliptic curves over finite fields suitable for use in cryptography, PhD Dissertation. [2] I. F. Blake, G. Seroussi, and N. P. Smart (2000), Elliptic curves in cryptography, volume 265 of London Mathematical Society Lecture Note Series,Cambridge University Press, Cambridge. [3] I. F. Blake, G. Seroussi, and N. P. Smart (2005), Advances in elliptic curve cryptography, volume 317 of London Mathematical Society Lecture Note Series, Cambridge University Press, Cambridge. [4]J.Buchmann dan H.C.Williams (1988), A key exchange system based on imaginary quadratic field, Journal of Cryptology, 1, 107-118.

  44. References (contd) [5] J. Buchmann (2004), Introduction to cryptography, Springer. [6] H. Cohen and G. Frey (2006), Handbook of elliptic and hyper elliptic curve cryptography, Hall and Chapman, Taylor and Francis Group. [7] D. A. Cox (1989), Primes of the forms x2 + ny2, John Wiley and Sons, New York. [8] W. Diffie and M. Hellman (1976), New directions in cryptography, IEEE Transactions on Information Theory, 22, 472-492. [9] A. Enge (2001), Elliptic curves and their applications to cryptography : an introduction, Kluwer Academic Publishers. [10] D.Hankerson, A.J. Menezes, S. Vanstone (2004), Guide to elliptic curve cryptography, Springer-Verlag, New York.

  45. References (contd) [11] D.Huhnlein, M.J. Jacobson, S. Paulus and T.Takagi (1998), A cryptosystem based on non-maximal imaginary quadratic order with fast decryption, in Advances in Cryptology, LNCS 1403, Springer, 294-307. [12] D.Huhnlein, M.J. Jacobson, D. Weber (2003), Towards Practical Non-Interactive Public-Key Cryptosystems Using Non-Maximal Imaginary Quadratics Orders, Designs, Codes and Cryptography, 30, Issue 3, 281-299. [13] D.Huhnlein, T.Takagi (1999), Reducing logarithms in totally non-maximal imaginary quadratic orders to logarithms in nite elds, ASIACRYPT, 219-231. [14] N.Koblitz (1987), Elliptic curve cryptosystem, Mathematics of Computation 48, 203-209.

  46. References (contd) [15] H.W.Lenstra (1996), Complex multiplication structure of elliptic curves, Journal of Number Theory, 56, No. 2, 227-241. [16] F. Leprevost, J.Monnerat, S. Varrette, S.Vaudenay (2005), Generating anomalous elliptic curves, Information Processing Letters, 93, 225-230. [17] K. S. McCurley (1988), A Key Distribution System Equivalent to Factoring, Journal of Cryptology 1, 95-105. [18] V.S. Miller (1986), Use of elliptic curve in cryptography, in Advances in Cryptology - CRYPTO '85, Springer-Verlag, LNCS 218, 417-426. [19] J.H. Silverman (1986), The arithmetic of elliptic curves, Springer-Verlag, NewYork. [20] L.C. Washington (2008) Elliptic curves, number theory and cryptography,Chapman and Hall/CRC, Taylor and Francis Group.

  47. Thank you

More Related