1 / 26

Introduction to Elliptic Curve Cryptography

Introduction to Elliptic Curve Cryptography. CSIS 5857: Encoding and Encryption. RSA vs. Elliptic Curve. RSA requires very large key size Recommended minimum: 1024 bits (as opposed to 128-256 for AES) Speed of RSA proportional to key size Fast modular exponentiation

aletta
Download Presentation

Introduction to Elliptic Curve Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Introduction to Elliptic Curve Cryptography CSIS 5857: Encoding and Encryption

  2. RSA vs. Elliptic Curve • RSA requires very large key size • Recommended minimum: 1024 bits(as opposed to 128-256 for AES) • Speed of RSA proportional to key size • Fast modular exponentiation • Possible alternative: Elliptic Curve Cryptography • Not directly related to ellipses (special case) • 160 bit ECC key equivalent to 1024 bit RSA key

  3. Elliptic Curve Mathematics • General mathematical form (Weierstraus equation): y2 = x3 + ax + bFor some a, b (curve parameters)

  4. Elliptic Curve Encryption • Encryption: Transforming points on curve (P, KPU) into other point on same curve (C) • Main idea (Abelian group): Need a definition of “+” so that “sum” of two points on a curve is also on the same curveR = P + Q where P = (xP, yP) Q = (xQ, yQ) R = (xR, yR)

  5. Elliptic Curve Addition Cases • Case 1: R based on line formed by P, Q (xP ≠ xQ, yP ≠ yQ) Equations: •  = (yQ – yP) / (xQ – xP) • xR =  2 – xP – xQ • yR = (xP – xR) – yP

  6. Elliptic Curve Addition Cases • Case 2: P = Q, R based on tangent to curve (xP = xQ, yP = yQ) Equations: • xR = ((3xP2 + a) / 2yP)2 - 2xP • yR = ((3xP2 + a) / 2yP)2(xP – xR) – yP

  7. Elliptic Curve Addition Cases • Case 3: P = -Q, line does not intercept curve (xP = xQ, yP ≠ yQ) • R = “0” (additive identity) • Point at infinity • 0 = -0

  8. Elliptic Curves over Zp • Encryption requires modular arithmetic • Must be difficult to recover original points from R. • Modular arithmetic prevents “working backward”, as in RSA • Define “curve” as Ep(a, b) where p is the modulus,a, b are the coefficients of y2 = x3 + ax + b • Looking for (x, y) such that y2 = (x3 + ax + b) mod p • Note: “points” on curve are integers

  9. Finding Points on a Zp Curve Looking for a y value for which (x, y) is on the curve Algorithm in terms of p, a, b: for (int x=0; x < p; x++) {w = (x^3 + a*x + b) % p; for (int i=0; i < p; i++) { y = sqrt(w+i*p); if (y is an integer) { output (x, y), (x, p-y); }} Run x through y2 = (x3 + ax + b) mod p equation Since equation is in terms of y2, must find whether w is a square mod p. That is, is there some perfect square s for which s mod p = w? If so, y and its inverse mod p is on the curve for x

  10. Finding Points on a Zp Curve Example: E13(1, 1) • x = 0w = 03 + 1x0 + 1 = 11 + 13i is a perfect square for i = 0output the points (0, 1) and (0, 12) • x = 1w = 13 + 1x1 + 1 = 33 + 13i is a perfect square for i = 1 (13+3 = 16)output the points (1, 4) and (1, 9)

  11. Finding Points on a Zp Curve • x = 2w = 23 + 1x2 + 1 = 11No i for which 2 + 13i is a perfect square • x = 3w = 33 + 1x3 + 1 = 31 mod 13 = 5No i for which 5 + 13i is a perfect square • x = 4w = 43 + 1x4 + 1 = 69 mod 13 = 44 + 13i is a perfect square for i = 0 output the points (4, 2) and (4, 11) • …

  12. Finding Points on a Zp Curve • Points on elliptic curve y2 = x3 + x + 1 over GF(13):

  13. Adding Points on an Elliptic Curve • Computing (xR, yR) = (xP, yP) + (xQ, yQ) • Necessary to turn 2 points corresponding to key, plaintext into point corresponding to ciphertext • Main ideas: • Addition/subtraction/multiplication in mod p • Division = multiplication by inverse mod p

  14. Example: (4, 2) + (10, 6) on E13(1, 1) • step 1: compute  = (yQ – yP) / (xQ – xP) = (6– 2) x (10– 4)-1 mod 13 = 4 x 6-1 mod 13 6-1 mod 13 = 11 = 4 x 11 mod 13 = 5 • step 2: compute xR =  2 – xP – xQxR = 25 – 4 – 10 mod 13 = 11 • step 3: compute y3 = (xP – xR) – yP yR = 5 x (4 – 11) – 2 mod 13 = 2 (4, 2) + (10, 6) = (11, 2) note: also on curve!

  15. Multiplication on an Elliptic Curve • Multiplication = addition multiple times • Necessary for some forms of elliptic curve cryptography • Must use formula where P = Q • Example: 3 x (1, 4) on E13(1, 1)3 x (1, 4) = ((1, 4) + (1, 4)) + (1, 4) = (8, 12) + (1, 4) = (0, 12)

  16. Elliptic Curve Encryption • Generally based on using elliptic curves in place of exponentiation in existing public key algorithm • Examples: • Elliptic Diffie-Hellman • Elliptic ElGamal 2

  17. Elliptic Curve Diffie-Hellman • Alice and Bob agree on global parameters: • Ep(a, b): Elliptic curve mod p (prime) with parameters a and b • G : “Generator” point on that elliptic curve • Example: p = 211Ep(0, -4) the curvey2 = x3 - 4G = (2, 2)

  18. Elliptic Curve Diffie-Hellman • Alice and Bob select privatenAand nB • They each generate a publicnAand nB asPA= nAx G and PB= nBx G • They exchange these values • Example: nA= 121 PA= 121 x (2, 2) = (115, 48) nB= 203 PB= 203 x (2, 2) = (130, 203) (115, 48) (130, 203)

  19. Elliptic Curve Diffie-Hellman • Alice and Bob generate the same key k k = PBx nA = PAx nB • Proof: PBx nA = G x nB x nAPAx nB = G x nA x nB • Example: 121 x (130, 203) = 203 x (115, 48) = (161, 69)

  20. Elliptic Curve Encryption Generating public and private keys: • Bob chooses an Ep(a, b) for an elliptic curve in Zp • Bob chooses a point (x1, y1) on that curve • Bob chooses a secret multiplier d < p • Bob computes a second point (x2, y2) on the curve as (x2, y2) = d (x1, y1) • public key: the values p, a, and b that define the curve the two points (x1, y1) and (x2, y2) • private key: the multiplier d

  21. Elliptic Curve Encryption Encryption: • Alice selects a point P onEp(a, b) that corresponds to the plaintext message she wishes to send • Alice selects a random multiplier r • Alice creates the ciphertext as two points on the curve:C1 = r (x1, y1) C2 = P +r (x2, y2)

  22. Elliptic Curve Encryption Decryption: • Bob computes the plaintext as: P = C2– (dC1)) • Why does this work?P = C2– (dC1)) = (P +r(x2, y2)) – (dr(x1, y1))) = (P +dr(x1, y1)) – (dr(x1, y1))) = P

  23. Elliptic Curve Encryption

  24. Security and Speed • Why is this secure? • Same type of inverse modular problem (elliptic curve logarithm problem) • No simple way to determine d from (x1, y1)and (x2, y2) without trying all possible values • Computationally secure as long as p large enough to prevent this (2160 for example) • Why is this fast? • Only uses addition and multiplication – no exponents!

  25. Elliptic Curves over GF(2n) • Represent points as polynomials {0, 1, g, g2, g3…}mod some irreducible polynomial in GF(2n) • Sort of like GF in AES • Added security • Slightly different equation used: y2 + xy = x3 + ax2 + b • Example: GF(23) using x3 + x + 1 as mod

  26. Elliptic Curves over GF(2n) • Points on elliptic curvey2 + xy = x3 + ax2 + b for a = g3 and b = 1

More Related