1 / 50

有限體於密碼學的應用

有限體於密碼學的應用. 陳君明 jmchen@ntu.edu.tw. 綱要. 密碼學基本知識 有限體基本性質 先進加密標準 AES : Advanced Encryption Standard 橢圓曲線密碼系統 ECC : Elliptic Curve Cryptosystems . FAQ (From Wikipedia). 密碼學 (Cryptography)

penda
Download Presentation

有限體於密碼學的應用

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 有限體於密碼學的應用 陳君明 jmchen@ntu.edu.tw

  2. 綱要 • 密碼學基本知識 • 有限體基本性質 • 先進加密標準 • AES:Advanced Encryption Standard • 橢圓曲線密碼系統 • ECC:Elliptic Curve Cryptosystems

  3. FAQ(From Wikipedia) • 密碼學 (Cryptography) • Cryptography is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and engineering. • 編碼學 (Coding Theory) • The aim of channel coding theory is to find codes which transmit quickly, contain many valid code words and can correct or at least detecterrors.

  4. 綱要 • 密碼學基本知識 • 有限體基本性質 • 先進加密標準 • AES:Advanced Encryption Standard • 橢圓曲線密碼系統 • ECC:Elliptic Curve Cryptosystems

  5. 密碼系統運作基本原則 • 密碼系統 (cryptosystem)包括 • 演算法 (algorithm) • 金鑰 (key) • 明文 (plaintext) • 密文 (ciphertext) • 它的安全性 (security)是基於其他人未知的私密金鑰,而非演算法 • 演算法公開,利於制定標準互通應用

  6. 傳統對稱式密碼系統 Encrypt 加密 ↗ △ ↘ Plaintext 明文Symmetric key Ciphertext密文 ↖ ▽ ↙ Decrypt 解密 DES (Data Encryption Standard) – 晶片金融卡 AES (Advanced Encryption Standard)

  7. 私密金鑰 與 公開金鑰 容易計算 私密金鑰 公開金鑰 Private Key非常困難  Public Key 藉由數學工具達成此目的       

  8. 公開金鑰密碼系統Public Key Cryptosystem Public key ▽ Plaintext 明文 →Encrypt 加密 ↖ ↘ Decrypt 解密←Ciphertext 密文 △ Private key 最廣泛使用的 PKC:RSA (Rivest – Shamir – Adleman 1977) 逐漸受重視的 PKC: ECC(橢圓曲線 Elliptic Curve Cryptosystem)

  9. 數位簽章Digital Signature Public key ▽ Signature →Verify 驗章 ↖ ↘ Sign 簽章← Message △ Private key * 秘密性 (confidentiality) * 身份鑑別性 (Authentication) * 完整性 (Integrity) * 不可否認性 (Non-Repudiation)

  10. RSA(Key Generation) • Key generation (RSA-1024) • Generate large primes p and q of at least 512 bits • ComputeN=pqand(N)=(p)(q)=(p1)(q1) • Select randomewith 1<e<(N) and gcd(e,(N)) = 1 • Using XGCD, compute the unique integer dwith 1<d<(N) and e d  1 (mod (N)) • Public key : (N, e) which is published • Private key : (d, p, q) which is kept secret

  11. RSA(Encryption & Decryption) • Encryption: If Bob wants to encrypt a message for Alice, he does: • Obtain Alice’s authentic public key (N, e) • Represent the message as a number 0 < x < N • Compute y = xe mod N • Send the ciphertext yto Alice • Decryption: To recover x from y, Alice does: • Use the private key d to recover x = y d mod N • Speed up by the Chinese Remainder Theorem

  12. RSA-1024 Number

  13. Applications of PKC • Protects most of today’s E-commerce • RSA-1024 standard for bank transactions • Authentications on the internet • Human • 內政部自然人憑證: RSA-1024 • 憑證管理中心(CA): RSA-4096 • Website • … and a lot more

  14. 綱要 • 密碼學基本知識 • 有限體基本性質 • 先進加密標準 • AES:Advanced Encryption Standard • 橢圓曲線密碼系統 • ECC:Elliptic Curve Cryptosystems

  15. Field • Definition A ring R is a field if every nonzero aRhas an inversea1 • Example • Q, R, C are fields • Zp with primepis a field • also denoted as Fp or GF(p), Galois field of order p • GF(28) is used in AES • Example • Zis not a field, since 21Z

  16. Galois Field GF4 Consider GF4 as a Set of Linear Polynomials {a1x + a2 | ai = 0 or 1} with  and  (a1x + a2)  (b1x + b2) = (a1x + a2) + (b1x + b2) mod 2 (a1x + a2)  (b1x + b2) = ((a1x + a2)(b1x + b2) mod x2+x+1 ) mod 2 f(x) = a1x + a2  (a1 a2)2  2a1+a2 NoteEvery nonzero element has a multiplicative inverse

  17. Multiplicative Group of GFpn • DefinitionG is a group, a G, the order of a[denoted as o(a)] is the smallest positive integer t such that at = 1 • NoteIf G is finite, then o(a) = o(<a>) | o(G) by Lagrange’s Theorem • TheoremGFpn* = <g> for some g GFpn • ApplicationImplementation of Field Multiplication: AB = g ag b = ga + b

  18. Primitive Element • In AES, m(x) = x8 +x4 +x3 +x +1GF2 is selected to generate GF28 • Letbe a root ofm(x) • GF256 consists of all polynomials of the form b77+b66+ … +b1 +b0 • bi = 0 or 1 • +1 is a primitive element • |GF256*| = 255 = 3517 • (+1)255 / 3  1, (+1)255 / 5  1, and (+1)255 / 17  1 • (+1)255 = 1

  19. Reference code from the book “The Design of Rijndael” typedef unsigned char word8; /* The tables Logtable and Alogtable are used to perform multiplications in GF(256) word8 Logtable[256] = { 0, 0, 25, 1, 50, 2, 26,198, 75,199, 27,104, 51,238,223, 3, 100, 4,224, 14, 52,141,129,239, 76,113, 8,200,248,105, 28,193, 125,194, 29,181,249,185, 39,106, 77,228,166,114,154,201, 9,120, 101, 47,138, 5, 33, 15,225, 36, 18,240,130, 69, 53,147,218,142, 150,143,219,189, 54,208,206,148, 19, 92,210,241, 64, 70,131, 56, 102,221,253, 48,191, 6,139, 98,179, 37,226,152, 34,136,145, 16, 126,110, 72,195,163,182, 30, 66, 58,107, 40, 84,250,133, 61,186, 43,121, 10, 21,155,159, 94,202, 78,212,172,229,243,115,167, 87, 175, 88,168, 80,244,234,214,116, 79,174,233,213,231,230,173,232, 44,215,117,122,235, 22, 11,245, 89,203, 95,176,156,169, 81,160, 127, 12,246,111, 23,196, 73,236,216, 67, 31, 45,164,118,123,183, 204,187, 62, 90,251, 96,177,134, 59, 82,161,108,170, 85, 41,157, 151,178,135,144, 97,190,220,252,188,149,207,205, 55, 63, 91,209, 83, 57,132, 60, 65,162,109, 71, 20, 42,158, 93, 86,242,211,171, 68, 17,146,217, 35, 32, 46,137,180,124,184, 38,119,153,227,165, 103, 74,237,222,197, 49,254, 24, 13, 99,140,128,192,247,112, 7}; Multiplications in GF256

  20. word8 Alogtable[256] = { 1, 3, 5, 15, 17, 51, 85,255, 26, 46,114,150,161,248, 19, 53, 95,225, 56, 72,216,115,149,164,247, 2, 6, 10, 30, 34,102,170, 229, 52, 92,228, 55, 89,235, 38,106,190,217,112,144,171,230, 49, 83,245, 4, 12, 20, 60, 68,204, 79,209,104,184,211,110,178,205, 76,212,103,169,224, 59, 77,215, 98,166,241, 8, 24, 40,120,136, 131,158,185,208,107,189,220,127,129,152,179,206, 73,219,118,154, 181,196, 87,249, 16, 48, 80,240, 11, 29, 39,105,187,214, 97,163, 254, 25, 43,125,135,146,173,236, 47,113,147,174,233, 32, 96,160, 251, 22, 58, 78,210,109,183,194, 93,231, 50, 86,250, 21, 63, 65, 195, 94,226, 61, 71,201, 64,192, 91,237, 44,116,156,191,218,117, 159,186,213,100,172,239, 42,126,130,157,188,223,122,142,137,128, 155,182,193, 88,232, 35,101,175,234, 37,111,177,200, 67,197, 84, 252, 31, 33, 99,165,244, 7, 9, 27, 45,119,153,176,203, 70,202, 69,207, 74,222,121,139,134,145,168,227, 62, 66,198, 81,243, 14, 18, 54, 90,238, 41,123,141,140,143,138,133,148,167,242, 13, 23, 57, 75,221,124,132,151,162,253, 28, 36,108,180,199, 82,246, 1}; word8 mul(word8 a, word8 b) { if (a && b) return Alogtable[(Logtable[a] + Logtable[b])%255]; else return 0; } Multiplications in GF256

  21. Representations • Elements of GF256 • 5+3+ 2 (00101100)2  2C • D6 + 2C = FA • D6  2C = 1A • Polynomials over GF256 • f(x) GF256[x] can be written as f(x) =  ai xiwhere ai GF256 =  fi ()xiwhere fi GF2 [y] of degree  7

  22. 綱要 • 密碼學基本知識 • 有限體基本性質 • 先進加密標準 • AES:Advanced Encryption Standard • 橢圓曲線密碼系統 • ECC:Elliptic Curve Cryptosystems

  23. NSA Suite B • Suite B is a set of cryptographic algorithms announced by NSA (on 2005.2.16) as part of its Cryptographic Modernization Program • Suite A is intended for highly sensitive communication and critical authentication systems • AES with 128/256-bit key sizes -- symmetric encryption • Elliptic-Curve Digital Signature Algorithm (ECDSA) -- digital signatures • Elliptic-Curve Diffie-Hellman (ECDH) -- key agreement • Secure Hash Algorithm (SHA-256/384) -- message digest

  24. Birth of AES • January 1997: NIST call for algorithms to replace DES • Block cipher: 128-bit blocks, 128/192/256-bit keys • Strength ≈ 3-DES • Efficiency: much higher than 3-DES • Documentation, reference C code, optimized C and JAVA code, test vectors • Designers give up all intellectual rights • Open process: public comments, international submissions • Website: http://www.nist.gov/aes

  25. Finalists (votes) Rijndael (86) Joan Daemen & Vincent Rijmen (Belgium) Serpent (59) Anderson, Biham, Knudsen (UK–Israel–Denmark) Twofish (31) Counterpane (USA) RC6 (23) RSA (USA) Mars (13) IBM (USA) Other submissions CAST-256 (Canada) Crypton (Korea) E2 (Japan) Frog (Costa Rica) Magenta (Denmark) SAFER+ (USA) DEAL (USA–Denmark) DFC (France) HPC (USA) LOKI97 (Australia) Accepted Submissions

  26. AES  Rijndael • Standard FIPS-197 approved by NIST in November 2001 • Block size: 128 bits, or 16 bytes • Key length: 128/192/256 bits, or 16/24/32 bytes • Number of rounds: 10/12/14 depending on key length • Uniform and parallel round transformation, composed of • Byte substitution • Shift rows • Mix columns • Round key addition • Sequential and light-weight key schedule • No arithmetic operations

  27. Byte Substitution • The only non-linear operation • ai,j ai,j-1bi,j • ai,j ai,j-1 = 1(mod m(x)) • m(x) = x8 + x4 + x3 + x + 1[(11B)16 ] • 0-1 = 0 [patched inverse] • Affine transformation: • ai,j-1bi,j • Examples • 00000000  00000000  01100011 • 00000001  00000001  01111100 • 00000010  10001101  01110111 bi,j ai,j-1

  28. Shift Rows & Key Addition • Shift Rows • Diffusion over columns • Key Addition • Round key is simply XOR-ed with state matrix

  29. Mix Columns • Good diffusion over rows • Each column is treated as a polynomial over GF28 and is multiplied modulo x4 + 1 with a fixed polynomial c(x) = 3x3 + x2 + x + 2 • Note that xn mod (x4 +1) = x n mod 4 • Assumeb(x) = b3x3 +b2x2 +b1x +b0 = a(x) c(x), then • Based on maximal distance codes

  30. Other Field Representations • Polynomial Basis with an irreducible polynomial • Generator of GF28* • Different Log and Alog tables • Composite Field • Normal Basis Rijndael Primitive

  31. P={PH,PL}=PHx+PL, where PH, PLGF((22)2) P16=PH16x16+PL16 =PHx16+PL =PHx+(PL+PH) P17={P17H,P17L}=P17Hx+P17L=P17L P17L=PLP16L+PHP16H =PL (PL+PH)+PH2  (P17)-1= (P17L)-1 can use 16-entry 4-bits table P-1={P-1H,P-1L}=P-1Hx+P-1L P-1H=P16H(P17L)-1 =PH (P17L)-1 P-1L=P16L(P17L)-1 = (PL+PH)(P17L)-1 Composite-field-based Inverter

  32. Variants of S-box • a a1=a254, how aboutakfor 1< k < 254? • Circulant matrix is easy for hardware implementation • The order of the general linear groupGL8(Z2) • |GL8(Z2)| = • i.e., the number of 88 Invertible matrices over Z2 is

  33. Variants of Mix Column • For AES, encryption is faster than decryption • c(x) = 3x3 + x2 + x + 2 for encryption • d(x) = Bx3 + Dx2 + 9x + E for decryption • c(x) d(x) 1 mod (x4 +1) • But for many applications, decryption needs to be faster than encryption • Choose a self-invertible polynomial e(x) such thate(x)21 mod (x4 +1)? • Easily proved that e(x) = e3(x+1)3+e2(x+1)2+1 wheree2 ande3 are any elements of GF(28)

  34. Branch Number • Definition: mina≠0(W(a)+W(F(a)) • W: weight • F: linear transformation • a: 4-byte vector • The larger branch number, the better diffusion effect • The upper bound of the branch number is 5 • The output of a single non-zero byte is at most 4 non-zero bytes • Both c(x) and d(x) have branch number 5 • However, e(x) has branch number  4

  35. 綱要 • 密碼學基本知識 • 有限體基本性質 • 先進加密標準 • AES:Advanced Encryption Standard • 橢圓曲線密碼系統 • ECC:Elliptic Curve Cryptosystems

  36. Elliptic Curve y2 = x3 + ax + b • R is determined by the line passing through P and Q

  37. Elliptic Curve y2 = x3 + ax + b • R is determined by the tangent line if P = Q • The slope is derived by implicit differentiation

  38. y2 = x3 + x over GF23

  39. y2 + xy = x3 + g4x2 + 1 over GF16

  40. Adding Distinct Points • The negative of P = (Px, Py) is the point P = (Px, Px +Py). • P = (Px, Py) and Q = (Qx, Qy) are two distinct points and PQ, then P + Q = R where s = (Py + Qy) / (Px + Qx), Rx = s2 + s + Px + Qx + a, Ry = s(Px + Rx) + Rx + Py.

  41. Doubling a Point • If Px= 0, then 2P = O. • If Px 0, then 2P = R where s = Px + Py/Px, Rx = s2 + s + a = Px2 + b / Px2, Ry = s(Px + Rx) + Rx + Py = Px2 + Rx(s + 1).

  42. Discrete Logarithm Problem • On Zp • Given a and g, find x such that gx a (mod p) • On Elliptic Curve Groups • Given P and Q, find x such that xP = Q • Both are very hard computational problems, especially the latter, “ECDLP” • The security of ECC is based on the difficulty of ECDLP

  43. 安全等級與GF(q)的對應

  44. NIST標準  質數體 (Prime Field)

  45. NIST標準  二元體 (Binary Field)

  46. 二元體(Binary Field  Koblitz Curves)

  47. 橢圓曲線安全性判定 • 假設 N | E(Fq) | q + 1 t  n s 是E(Fq) 的群秩 (group order),其中 n 是基點 P的秩 (P 所生成子群的秩),t 是橢圓曲線的跡 (trace)。橢圓曲線的各項參數應滿足下列全部條件,以抵擋所有已知攻擊︰ • 當 q 2m時,m是質數 • n 2160且 n 是質數 • np • 對於 l 30,n 不整除 ql 1 • |E(Fp)| 不等於 p • p不整除 t • t2 • q不為 23r、25r、26r、27r、或 28r等形式

  48. 各類攻擊法 • 如果 n 不是質數,可以約化 (reduce) 為 P之子群的 ECDLP,再利用中國剩餘定理合併求解 • 如果 n < 2160,ECDLP 可被 Pollard 方法攻擊 • 橢圓曲線若滿足 |E(Fp)| p,稱為質數體異常曲線 (prime-field- anomalous),將遭受 Smart 方法攻擊 • 如果 np,ECDLP 將遭受 Semaev 方法攻擊 • 橢圓曲線若滿足 p | t,稱為超奇異曲線 (supersingular),將遭受 配對函數攻擊 (pairing attacks) • 跡 t 2 的橢圓曲線將遭受配對函數攻擊 • 若對某個 l 30 滿足 n | ql 1,我們可以採用配對函數攻擊 • 基體形如 F25l或 F26l在廣義的 GHS 攻擊下是弱的 • 基體形如 F23l、F27l或F28l在廣義 GHS 攻擊下是部份弱的

  49. 群秩計算 • 假設 E:y2=x3+Ax+B 是基於有限體 Fq 上的橢圓曲線 • 由 Hasse’s 定理,我們可以將 #E(Fq) 的範圍縮小:#E(Fq)=q+1a,其中 • 令 S={2, 3, 5, …, L} 為一質數的集合,使得 但S不包含 Fq 的特徵數 • 對於在集合 S裡的每一個 l,我們只需要計算 a mod l 的值,即可利用中國剩餘定理求出 a 值

  50. Thanks for Your Attention!

More Related