1 / 36

Outline

CPE5002/CSE5210 Advanced Network Security --- Advanced Cryptography and Information Security--- Lecture 12. Outline. Background Group Field Principle of public key systems Discrete Logarithm Problem (DLP) Elliptic Curve Cryptography EC with real numbers EC with finite groups

eliora
Download Presentation

Outline

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CPE5002/CSE5210Advanced Network Security--- Advanced Cryptography and Information Security---Lecture 12

  2. Outline • Background • Group • Field • Principle of public key systems • Discrete Logarithm Problem (DLP) • Elliptic Curve Cryptography • EC with real numbers • EC with finite groups • ECC in practice CPE5021 - Advanced Network Security

  3. Acknowledment • Acknowledgement: • Some of the figures in the lecture are borrowed from certicom. • Some diagrams are borrowed from other universities. CPE5021 - Advanced Network Security

  4. Some references • http://www.certicom.com/index.php?action=res,ecc_faq (good introduction papers) • http://cnscenter.future.co.kr/crypto/algorithm/ecc.html (more materials) • http://www.cs.mdx.ac.uk/staffpages/m_cheng/link/ecc_simple.pdf (good introduction for students with strong maths background) (You can find many more from the Web) CPE5021 - Advanced Network Security

  5. Group • Definition: a set S together with a binary operation defined on S is a group if satisfies the following properties: - Closure: - Identity: - Associativity: - Inverses: For each If a group S satisfies the commutative law the group is said to be Abelian. CPE5021 - Advanced Network Security

  6. Field • Definition:a set F with two operations (+,*) defined on it is a field if it satisfies the following criteria: - (F; +) is an Abelian group; - (F \ {0}, *) is an Abelian group, where {0}is the identity of addition and zero of multiplication; - distributive: x; y; z F x * (y + z) = x * y + x* z (x + y) * z = x * z + y * z CPE5021 - Advanced Network Security

  7. Group: examples • (R,+): set of real number with addition is a group. • (Z, +): set of integer numbers with addition is a group. • (Zn, modulo): set of integers with modulon is a group. • (Zp, modulo p): {0,1,…p-1},wherep is a prime number, is a useful group in cryptography • (R,*): set of real number with multiplication. Is it a group ? CPE5021 - Advanced Network Security

  8. Field: examples • (R,+,*) is a field. • (Q,+,*) is a field. • (Zp,+, *). Is it a field? • ([-a,a], +, *) a>0. Is it a field? CPE5021 - Advanced Network Security

  9. Elliptic Curve Cryptography (ECC) • Security of popular RSA is provided by the intractability of the discrete logarithm problem (DLP) or integer factoring problem (IFP) • To ensure security of RSA-based systems, current key sizes must be a minimum of 1024 bits. • As computing power increases, larger key sizes will be needed to guarantee security of such systems. This will result in • higher computational costs • more space requirement for keys • reduction in scalability CPE5021 - Advanced Network Security

  10. Elliptic curve cryptosystem (ECC) • Why ECC? • There are other public key cryptographic systems. However, we choose to study ECC because • The sub-exponential algorithm of breaking ECC has not been found, that is : ECC is not less secure than RSA or some other public key crypto algorithms. • ECC with smaller key size can achieve the same security as RSA or some other crypto algorithms. Hence ECC is more efficient for secure wireless applications. • High scalability. • More potential due to EC theory (rich theory with many alternatives). CPE5021 - Advanced Network Security

  11. Symmetric key size (in bits) Example algorithm DLP key size for equivalent security (p in bits) RSA key size for equivalent security (n in bits) ECC key size for equivalent security (n in bits) Key size ratio of RSA to ECC (approx) 56 - 512 512 112 5:1 80 SKIPJACK22 1024 1024 160 6:1 112 Triple DES 2048 2048 224 9:1 128 AES-128 3072 3072 256 12:1 192 AES-192 7680 7680 384 20:1 256 AES-256 15360 15360 512 30:1 Elliptic curve cryptosystem (ECC) Extract from my student’s Thesis – Markku N.M. Pekkarinen Key Size Equivalence Against Best Known Attacks (Based on López and Dahab, 2000 and Fibíková, 2002) CPE5021 - Advanced Network Security

  12. RSA and ECC challenges Progress in Integer Factorisation (Certicom 1997) CPE5021 - Advanced Network Security

  13. RSA and ECC challenges • RSA Security organisaton sponsors a challenge for solving the integer factorisation problem IFP or DLP (to break RSA), while Certicom corporation sponsors a challenge for solving the EC DLP (to break ECC) Progress in solving ECDLP Certicom (2002) CPE5021 - Advanced Network Security

  14. Discrete Logarithm Problem (DLP) • For a group G, Given group elements, find an integer x such that xis calledthe discrete logof to the base . - It is easy to compute - It is hard to find x, knowing and CPE5021 - Advanced Network Security

  15. DLP - Example • If ab = c, then logac = b • Example: • 23 = 8  log28 = 3 • 103 = 100  log101000 = 3 • Computing ab and logac are both easy for real numbers. • However, when working with field such as (Zp,mod), it is easy to calculate c = abmod p, but given c, a and p it is very difficult to find b. • Given an integer n it is hard to find two integers p, q such that n = p•q (factorisation problem as in RSA) CPE5021 - Advanced Network Security

  16. Real Elliptic Curves • An elliptic curve is defined by an equation in two variables x & y, with coefficients: • y2 + axy + by = x3 + cx2 + dx + e (general form) • Consider a cubic elliptic curve of form • y2 = x3 + ax + b; where x,y,a,b are all real numbers. Eg. • y2 = x3 + x + 1. • y2 = x3 + 2x + 6. CPE5021 - Advanced Network Security

  17. Example of EC CPE5021 - Advanced Network Security

  18. Elliptic curve over real number • Let’s consider the equation: y2 = x3 + ax + b, where x, y, a and b are real numbers, where 4a3 + 27b20 – condition for distinct single roots (smooth curve). • All (x,y) points satisfying above equation along with a infinite point O and addition operation (+), form a group. Oand (+) are defined in the next slide. O is the identity of the group. CPE5021 - Advanced Network Security

  19. EC over a group (G,+) – E(G,+) An EC over a group (G,+) is defined with the following: 1. Addition: If P and Q are distinct, and P  -Q, define P+Q as follows: • Draw a line through P and Q, then the line will intersect with the curve, the intersected point is denoted as –R, and define P+Q=R. 2. For every P, define P + (-P) = O 3. If P=(x,0), then P+P = O, (a vertical line) Otherwise, draw a tangent line through P, the intersected point is defined as –R, then P+P =2P =R. CPE5021 - Advanced Network Security

  20. Definition of P+Q = R CPE5021 - Advanced Network Security

  21. Definition of P+(-P) CPE5021 - Advanced Network Security

  22. Definition of P+P (where y!=0) CPE5021 - Advanced Network Security

  23. Definition of P+P (where y=0) CPE5021 - Advanced Network Security

  24. Elliptic Curve : An Algebraic Approach 1. Adding distinct points P and Q (1)When P = (xP,yP) and Q = (xQ,yQ) and P Q, P  -Q,P + Q = R(xR, yR) with xR = s2 - xP - xQ and yR = s(xP - xR) - yPwhere s = (yP - yQ) / (xP - xQ) 2. Doubling the point P(2)When yP is not O,2P = R(xR, yR) with xR = s2 - 2xP and yR = s(xP - xR) -yP where s = (3xP2 + a) / (2yP ) 3. P + (-P) =O (3) 4. If P = (xP,yP) and yP =0, then P + P = 2P = O (4) CPE5021 - Advanced Network Security

  25. Finite Elliptic Curves on discrete Fields • Cryptography works with finite field and Elliptic curve cryptography uses curves whose variables and coefficients are finite • There are two commonly used ECC families: • prime curves Ep(a,b) defined over Zp • use modulo with a prime number p • efficient in software • binary curves E2m(a,b) defined over GF(2n) • use polynomials with binary coefficients • efficient in hardware CPE5021 - Advanced Network Security

  26. Elliptic Curve Groups over Zp • (Zp, mod) = {0,1,…,p-1} is a group • Where p is a prime number • Define the elliptic curve • y2 = x3 + ax + b mod p • Where a and b are in Zp, and x, y are also in Zp. • (4a3 + 27b2 (mod p))  0 . CPE5021 - Advanced Network Security

  27. EC over (Zp, mod)- examples • p=11, Zp=Z11. y2 = x3 + x + 6 (mod 11) • E(Z11, mod) = {(2,4),(2,7), (3,5),(3,6), (5,2),(5,9), (7,2),(7,9), (8,3),(8,8), (10,2),(10,9)} • p=23, Zp=Z23. y2 = x3 + x (mod 23) • E(Z23, mod) = {(0,0), (1,5), (1,18), (9,5), (9,18), (11,10), (11,13), (13,5), (13,18), (15,3), (15,20), (16,8), (16,15), (17,10), (17,13), (18,10), (18,13) (19,1),(19,22), (20,4), (20,19), (21,6), (21,17)} • p=23, Zp=Z23. y2 = x3 + x + 1 (mod 23) • E(Z23,mod) = { (0,1), (0,22), (1,7), (1,16), (3,10), (3,13), (4,0), (5,4), (5,19), (6,4), (6,19), (7,11), (7,12), (9,7), (9,16), (11,3), (11,20), (12,4), (12,19), (13,7), (13,16), (17,3), (17,20), (18,3), (18,20), (19,5), (19,18)} CPE5021 - Advanced Network Security

  28. y2 = x3 + x mod 23 CPE5021 - Advanced Network Security

  29. Operations on E(Z11,mod) • Consider the E(Z11,mod): Let Pand Qon E(Z11,mod) • P = (10,2) and Q= (5,2) then P + Q = (10,2) + (5,2) = (7,9). • P = (2,7); P + P = (5,2). • P = (2,7); -P = (2,-7); P + -P =? CPE5021 - Advanced Network Security

  30. Elliptic Curve Cryptography (ECDLP) • Assume that we are working with E(Zp, mod) • Let Q and P be on E(Zp, mod); and 1 < k < p-1 • Define a hard problem which is equivalent to the DLP: Q=kP • It is “easy” to compute Q given k and P • but it is “hard” to find k given Q,P • known as the elliptic curve logarithm problem (ECDLP) CPE5021 - Advanced Network Security

  31. ECC in Practice – simple method • Suppose A wants to send a messagemto B using EC over group (G,+) = {0, ..n-1} with generator g • Key generation: B selects a random integer Bs from the interval [1, n-1] as private key and publish Bp = Bsg as B’s public key • Encryption: A selects a random integer As as A’s secrete key and send to B: (Asg, AsBp + m) to B as ciphertext (Asg = Ap is A’s public key). • B decrypts the message by computing m + AsBp - Bs(Asg) = m + As Bsg - BsAsg = m CPE5021 - Advanced Network Security

  32. E(Z11,mod) with generator • y2= x3 +x+6 mod 11. • E(Z11,mod) = {(2,4),(2,7), (3,5),(3,6), (5,2),(5,9), (7,2),(7,9), (8,3),(8,8), (10,2),(10,9)} CPE5021 - Advanced Network Security

  33. E(Z11,mod) with generator • Let’s select g =(2,7) as a generator. • Compute 2g, 3g, … as using the following: • 2P = R(xR, yR) with xR = s2 - 2xP and yR = s(xP - xR) -yP where s = (3xP2 + a) / (2yP ) {g=(2,7), 2g=(5,2), 3g=(8,3), 4g=(10,2) 5g=(3,6), 6g=(7,9), 7g=(7,2), 8g=(3,5) 9g=(10,9), 10g=(8,8),11g=(5,9),12g=(2,4)} CPE5021 - Advanced Network Security

  34. ECC example on E(Z11,mod) y2= x3 +x+6 mod 11 • Suppose message is m =(3,6) (a point on E). • B selects a randomBs =3, then sendBp to A; • Bp=Bsg = 3g = g+g+g = (8,3); where g =(2,7) • A selects a random number and generates A’s public key, let’s say 2. As = 2; Ap=Asg=2g=g+g = (5,2). • A encrypts the message: (Asg, AsBp + m) = ((5,2), 2(8,3) + (3,6)) = ((5,2), (7,9) + (3,6)) = ((5,2), (5,9)). • B decrypts the cipher by first computing AsgBs • AsgBs = 3(5,2) = (5,2) + (5,2) + (5,2) = (10,2) + (5,2) = (7,9); • AsBp + m – AsgBs = (5,9) – (7,9) = (5,9) + (7,-9) = (5,9) + (7,2) = (3,6) CPE5021 - Advanced Network Security

  35. ECC in Practice • ECC can be embedded in different schemes or protocols • EC with AES • EC with ElGamal • EC with Massey-Omura • EC with Menezes-Vanstone • EC with RSA CPE5021 - Advanced Network Security

  36. Remarks • ECC is young and rich in its nature. Its application is huge including wireless security, smart cards, personal chips, home devices, etc. • RSA theory is easier to understand but harder to develop further. • Currently, RSA is not a good choice for low computational devices, especially for handheld devices and smart cards those are becoming everyday used devices. • RSA is currently more established and supported by industries. CPE5021 - Advanced Network Security

More Related