Session 6 Contents Cryptography Basics Elliptic Curve EC Concepts Finite Fields Selecting an Elliptic Curve Cryptography Using EC Digital Signature Cryptography Basics Security Services Security Mechanisms ID: 911914
Download Presentation The PPT/PDF document "Chapter 8 Elliptic Curve Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Chapter 8
Elliptic Curve Cryptography
Slide2Session 6 –
Contents
Cryptography Basics
Elliptic Curve (EC) Concepts
Finite Fields
Selecting an Elliptic Curve
Cryptography Using EC
Digital Signature
Slide3Cryptography Basics
Slide4Security Services Security Mechanisms
Encryption
Hash Functions
Digital Signatures
Security Tokens
Digital Signatures
Non-Repudiation
Access
Authentication
Integrity
Confidentiality
Slide5Types of Crypto Systems
Symmetric Cryptography – Secret Key
A single key serves as both the encryption and the decryption key.
Initial arrangements need to be made for individuals to share the secret key.
Stream Ciphers and Block Ciphers (DES, AES)
Asymmetric Cryptography – Public-Key
One key is used to encipher and another to decipher.
Privacy is achieved without having to keep the enciphering key secret because a different key is used for deciphering.Pohlig Hellman, Schnorr, RSA, ElGamal, and Elliptic Curve Cryptography (ECC) are popular asymmetric crypto systems.
Slide6Symmetric Key Crypto System
Security is based on the secret key, not on the encryption algorithm.
The sharing of secret keys is necessary.
Strengths: Fast, good for encrypting large amounts of data.
Weakness: Key delivery.
There are two types of symmetric crypto systems: Stream Cipher (RC4) and Block Ciphers (DES, AES, RC5, CAST, IDEA).
Plaintext
Plaintext
Encryption Algorithm
Encryption Algorithm
Ciphertext
Encipher
Decipher
Secret Key
As the market requirements for secure products has exponentially increased, our strategy will be to ….
Asdfe8i4*(74mjsd(9&*nng654mKhnamshy75*72mnasjadif3%j*j^3cdf(#4215kndh_!8g,kla/”2acd:{qien*38mnap4*h&fk>0820&ma012M
As the market requirements for secure products has exponentially increased, our strategy will be to ….
Slide7Asymmetric Key Crypto System
(Public Key Algorithm)
Public key encryption involves two mathematically related keys.
Either key can be used to encipher.
One of the keys can be made
public
and the other kept
private.Strengths: No key delivery issues, can be used for non-repudiation.Weakness: Slow, inefficient for large amounts of data, computationally expensive.Algorithms: RSA, ElGamal, Schnorr, Pohlig-Hellman, Elliptic Curve Cryptography.Used mainly for key exchange or digital signatures.
One Key to EncipherAnother Key to Decipher
Plaintext
Plaintext
Encryption AlgorithmEncryption Algorithm
Ciphertext
Encipher
Decipher
As the market requirements for secure products has exponentially increased, our strategy will be to ….
Asdfe8i4*(74mjsd(9&*nng654mKhnamshy75*72mnasjadif3%j*j^3cdf(#4215kndh_!8g,kla/”2acd:{qien*38mnap4*h&fk>0820&ma012M
As the market requirements for secure products has exponentially increased, our strategy will be to ….
Slide8Combining Symmetric and Asymmetric Ciphers
Exchange (wrap / transport ) or agree (Diffie-Hellman) on a pre-master key.
Symmetric Encryption
Ciphertext Block
IV
+
+
Secret Key
IV
+
+
Secret Key
Use a symmetric algorithm to encipher and decipher a secure transaction.
Encipher
Decipher
Client
Web Server
Symmetric Encryption
Symmetric Encryption
Symmetric Encryption
Master Key Generation
Pre-
Master Key
Master Key Generation
Pre-
Master Key
Integrity (HMAC)
Integrity (HMAC)
Cleartext Block
Cleartext Block
Ciphertext Block
Cleartext Block
Cleartext Block
Ciphertext Block
Ciphertext Block
Slide9Types of Public-key Cryptography
Exponentiation Ciphers
RSA.
Discrete logarithm systems
ElGamal public-key encryption, Digital Signature Algorithm (DSA), Diffie-Hellman key exchange.
Elliptic curve cryptography
Slide10Public Key Encryption
Encipher
Decipher
Alice’s Private Key
Alice’s Public Key
Encipher
Decipher
Bob’s Public Key
Bob’s Private Key
Encipher
Decipher
Bob’s Private Key
Bob’s Public Key
Sender (Alice)
Receiver (Bob)
Non-Repudiation of Origin (Authenticity)
Anyone who has Alice’s public key will be able to decipher the message. Alice cannot deny that she sent the message.
Confidentiality
─ Bob will be the only one able to decipher the message because only he has his private key.
Enciphering is not possible because Alice doesn’t have Bob’s private key.
Encipher
Decipher
Alice’s Public Key
Alice’s Private Key
Bob will not be able to decipher the message because he doesn’t have Alice’s private key.
Slide11Elliptic Curve Concepts
Slide12What is Elliptic Curve Cryptography?
elliptic curve cryptography
/ (
abbr. ECC
)
(1) an encryption system that uses the properties of elliptic curve and provides the same functionality of other public key cryptosystems; (2) A public key crypto system that provides, bit-by-bit key size, the highest strength of any cryptosystem known today.
Slide13ECC with 160-bit key size offers the same level of security as RSA with 1024-bit key size.
Smaller key size provides
Storage efficiencies
Bandwidth savings
Computational efficiencies
ECC implementation is beneficial in applications where bandwidth, processing capacity, power availability, or storage are constrained.
ECC includes key distribution, encryption, and digital signatures.
ECC Applications
Which leads to Higher speedsLower power consumptionsCode size reductions
Slide14ECC Applications
Applications requiring intensive public-key operations.
Web servers.
Applications with limited power, computational power, speed transfer, memory storage, or bandwidth.
Wireless communications
PDAs
Applications rigid constrains on processing power, parameter storage, and code space.
Smart card and tokens.
Slide15Elliptic Curves
Elliptic Curve Cryptography uses plane curves, which are sets of points satisfying the equation F (x, y) = 0.
Examples of plane curves are:
Lines (2x + y = a)
Conic sections (3x
2
+ 5y
2 = a)Cubic curves (y2 + xy = x3 + ax2 + b), which include elliptic curves.
Slide16Finite Fields
Finite fields are fields that are finite.
A field is a set
F
in which the usual mathematical operations (addition, subtraction, multiplication, and division by nonzero quantities) are possible; these operations follow the usual commutative, associative, and distributive laws.
Rational numbers (fractions), real numbers, and complex numbers are elements of infinite fields.
A discrete logarithm (DL) and elliptic curve (EC) cryptography schemes are always based on computations in a finite field in which there are only a finite number of quantities.
For cryptography applications, the finite fields that are usually used are the field of characteristic (congruences).The finite field used in DL and EC are the field of prime characteristic Fp and the field of characteristic two F2m. The finite field is also denoted as GF(q).
Slide17Finite Fields
Characteristic Prime Finite Fields
The finite field
F
p
is the prime finite field containing
p
elements. If p is an odd prime number, then there is a unique field Fp that consists of the set of integers{0, 1, 2 ,..., p – 1}. Characteristic Two Finite FieldsA characteristic two finite field (also known as a binary finite field) is a finite field whose number of elements is 2m. If m is a positive integer greater than 1, the binary finite field F2m consists of the 2m possible bit strings of length m. For example, F23 = {000, 001, 010, 011, 100, 101, 110, 111}
Slide18Group Fields in EC
There are two essential properties of group fields when they are used in elliptic curve cryptography:
A group should have a finite number of points. An elliptic curve has infinite number of points, but an elliptic curve over
F
q
has a finite number of elements.
The operation that is used should be easy to compute but very difficult and time consuming to reverse.
The scalar integer multiplication of an elliptic curve point, P, which is defined as the repeated addition of the point with itself, Q = kP, is an operation that is easy to compute but very difficult and time consuming to reverse.
Slide19Elliptic Curves and Points
There are several ways of defining equations for elliptic curves, but the most common are the Weierstrass equations.
ECC may be implemented over
F
q
,
where
q is an odd prime p, or 2m.If ECC is implemented over Fp, the following equation is used:If ECC is implemented over F2m, the following equation is used:
Slide20Elliptic Curve Arithmetic
Point Addition in
F
p
The group law is defined by
P
+
Q – R = 0; therefore, P + Q = R, where the negative of the point R(x, y) is the point R (x, –y).Given two points on the curve P and Q, the line through them meets the curve at a third point – R. The reflection of R gives the point R, which is equal to P + Q
.The tangent line through P gives the point – R.
R
Q
P
- R
P (0.0, 2.45)
Q (-3.24, -1.17)
-R (4.49, 7.47)
R (4.49, -7.49)
P + Q = R = (4.49, -7.49)
E: y
2
= x
3
- 9x + 6
- R
P
R
P (0.0, 2.45)
-R (3.38, -3.76)
R (3.38, 3.76)
2P = R = (3.38, 3.76)
E: y
2
= x
3
- 9x + 6
Slide21Elliptic Curve Arithmetic
Doubling a Point in
F
p
Provided that
then,
where
andλ is the slope of the line through P(xP , yP).
Slide22Elliptic Curves Arithmetic
Point Addition in
F
p
Similar to the addition of two points in plane geometry. For
then,
where
andλ is the slope of the line through P(xP , yP) and Q(xQ , yQ ).
Slide23Elliptic Curve Arithmetic
Point Addition in
F
p
Adding P to -P
.
P
P (-1.85, 4.05)
-P (-1.85, -4.05)
P + (-P) = O, the point at infinity
E: y2 = x3 - 9x + 6-P
Slide24EC Points
The points are symmetric because in elliptic curves, for every point P, there must exist another point –P.
The point P(0, 1) generates a maximal subgroup because it generates the maximum number of points, 28 (27 plus the point at infinity).
The curve order is 28 and is denoted as #E(F
p
).
Slide25Point and Curve Order
Point
Order
Point
Order
Point
Order
Point
Order
(0,1)
28
(9,16)
28
(7,11)
14
(13,16)
7
(0,22)
28
(18,3)
28
(7,12)
14
(17,3)
7
(1,7)
28
(18,20)
28
(12,4)
14
(17,20)
7
(1,16)
28
(19,5)
28
(12,19)
14
(11,3)
4
(3,10)
28
(19,18)
28
(5,4)
7
(11,20)
4
(3,13)
28
(6,4)
14
(5,19)
7
(4,0)
1 (infinity)
(9,7)
28
(6,19)
14
(13,7)
7
For any point in
y
2
= x
3
+ x + 1
(mod 23), the value of
k
such that k
P
=
O
is not always the same. The order of points varies; it can be 28, 14, 7 or 4.
The maximum point order is the curve order.
See next slide
Slide26Point Order
Slide27Selecting an EC for Cryptography
There are several procedures to select an elliptic curve for cryptographic purposes. The following are some of the criteria:
Select a large prime number, p, to be used as the module.
Select the coefficients
a
and
b
randomly and define E Fp: y2 = x3 + ax + b.Calculate the curve order #E(Fq). Check that #E(Fq) is divisible by a large prime number. Check that the largest prime divisor of #E(Fq) does not divide q
v-1 for v = 1, 2, 3, ……<large limit>.Another way to select the elliptic curve is by selecting the curve order first: Select a large prime number, p, to be used as the module.Select the curve order, #E(Fp), such that Check that #E(Fp) is divisible by a large prime number, r. Check that r does not divide pv-1 for v = 1, 2, 3, ……10.Use the Atkin-Morain algorithm to find parameters a and b in Fp such that the elliptic curve
E has an order of #E(Fp).
Slide28Selecting a Generator Point
Select a random point G on
E(F
p
)
and a large prime number
n
that divides #E(Fp). Check that the nG = O, n being the point order.
The size of the odd prime modulus in bits is 15
Curve generated using Cryptomathic on line generator at http://www.cryptomathic.com/labs/ellipticcurvedemo.html#Key-Generation
Slide29Discrete Logarithmic Problem
In the multiplicative group
Zp*
discrete logarithm (Diffie-Hellman, ElGamal, DSS), the following is the discrete logarithm problem:
Given elements
y
and
x of the group, and a prime p, find a number k such that y = xk mod p.For example, if y = 2, x = 8, and p = 341, then find k such that 2 ≡ 8k mod 341.In the Diffie-Hellman discrete logarithm, y is the public key, g is a large random number, p is the modulo, and k
is the private key that the cryptanalyst is trying to find out.Which one is the correct Private Key?
Slide30EC Discrete Logarithmic Problem
Given an elliptic curve , a point of an order
n
, and a point , determine the integer
k
,
0≤ k ≥ n-1
, such that Q = kP, provided that such integer k exists.Q is the public key and k is the private key.The scalar integer multiplication of an elliptic curve point, P is defined as the process of adding P to itself k times. Q = kP is analogous to exponentiation in a discrete logarithm cryptosystem, i.e., it is an operation that is easy to compute but very difficult and time consuming to reverse.
Slide31Elliptic Curve Public-Key Cryptography
The scalar integer multiplication of an elliptic curve point, P is defined as the process of adding P to itself
k
times. Q =
k
P.
When the point (0,1) is added to itself 13 times the result is the point (9, 16).
Q = k P = 13 * (0,1) = (9,16) Select Q = Public Key = (9,16)k = Private Key = 13
Slide32Brute Force Attack
There is not a known algorithm to attack ECC
Brute force attack
Starting with point (0,1), add (0,1) to itself until (9,16) is found
.
Stop when Q = d
P
= (9, 16)The order of the base point is 28It would take a system doing a million addition/sec, 14 microseconds to try 50% of all possible points.
The size of the odd prime modulus in bits is 5.
Slide33Brute Force Attack
There is not a known algorithm to attack ECC
Brute force attack
Starting with point
P
, add
P
to itself until Q is found.Stop when kP = QThe order of the base point is 1.73*1046
It would take a system doing a million addition/sec (3.15*1018 additions/year) 1032 years to try 50% of all possible points.
The size of the odd prime modulus in bits is 161. Equivalent to RSA 1024
Slide34Breaking the Code
April 27, 2004
Certicom Corp. (TSX: CIC), the authority for strong, efficient cryptography, today announced that Chris Monico, an assistant professor at Texas Tech University, and his team of mathematicians have successfully solved the Certicom Elliptic Curve Cryptography (ECC) 109-bit Challenge. The effort required 2600 computers and took 17 months. For comparison purposes, the gross CPU time used would be roughly equivalent to that of an Athlon XP 3200+ working nonstop for about 1200 years.
Slide35Public Key Systems Key Size Comparisons
Security (Bits)
Symmetric Encryption Algorithm
Hash Algorithm
Minimum Size of Public keys (Bits)
Diffie-Hellman and RSA Modulus Size
ECC
80
SKIPJACK
SHA-1
1024
1024
160
112
3DES
2048
2048
224
128
AES-128
SHA-256
3072
3072
256
192
AES-192
SHA-384
7680
7680
384
256
AES-256
SHA-512
15360
15360
512
Blake, Seroussi, and Smart (1999, p9) compared the two algorithms known to break ECC and discrete algorithms. Simplifying the formulas and making several approximations, they arrived at the following formula comparing key-length for similar levels of security:
where β ≈ 4.91. The parameters n and N are the “key sizes” of ECC and DL cryptosystems.
Slide36Elliptic Curve Cryptography
Slide37Domain Parameters
Parties using elliptic curve cryptography need to share certain parameter, the “Elliptic Curve Domain Parameters”.
The EC domain parameters may be public; the security of the system does not rely on these parameters being secret.
The domain consists of six parameters which are calculated differently for
F
p
and F2m . It precisely specify an elliptic curve and base point. The six domain parameters are the following:T = (q; FR; a, b; G; n; h), in which,q Defines the underlying finite field Fq. The field size is defined by the module, so, q = p or q = 2m ; p>3 should be a prime number.
FR Field representation of the method used for representing field elements in , either or .a, b The coefficients defining the elliptic curve E, elements of Fq.G A distinguished point, G=(xG ,yG), on an elliptic curve called the base point or generating point defined by two field elements xG and yG in Fq.n The order of the base point G.h Called the cofactor, h = #E(Fq)/n, where n is the order of the base point G. h is normally a small number.
Slide38ECC Cryptography
Encryption
EC Integrated Encryption Scheme (ECIES)
Variant of ElGamal public-key encryption
Proposed by Bellare and Rogaway
Variant of ElGamal public-key encryption schme
ANSI X9.63, ISO/IEC 15946-3, and IEEE P1363a draft
Provably Secure Encryption Curve (PSEC)Fujisaki and OkamotoEvaluated by NESSIE and CRYPTRECKey ExchangeStation-to-Station ProtocolDiffie, van Oorschot, and WienerDiscrete logarithm-base key agreementANSI X9.63ECMQVMeneses, Qu, and VanstoneANSI X9.63, IEEE 1363-2000, and ISO/IEC 15946-3
Slide39ECC Cryptography
Digital Signature
Elliptic Curve Digital Signature Algorithm (ECDSA)
Analog to the Digital Signature Algorithm (DSA)
Secure Hash Algorithm (SHS-1)
ANSI X9.62, FIPS 186-2, IEEE1363-2000 and ISO/IEC 15946-2
EC Korean Certificate-based Digital Signature Algorithm (EC-KCDSA)
Lim and LeeISO/IEC 15946-2.
Slide40Key Generation
The public and private keys of an entity A are associated with a particular set of elliptic curve domain parameters
(q; FR; a; b; G; n; h)
. To generate a key pair, entity Alice does the following:
Selects a random or pseudo-random integer
d
in the interval [1, n - 1].
Computes Q = d * G.Has Q as public key, PubA, and d as private key, PrivA.Checks that xG and yG are elements of the elliptic curve equation by calculating or .Example:For E(F23):
y2 = x3 + x + 1, #E(F23) =28. Then, n=7, since n should be a prime factor of 28.The cofactor h is equal to 28 / 7 = 4. A point with an order of 7 should be selected.The point G could be (5, 19), one of several points with n = 7. The domain parameter T = (p; a; b; G; n; h) is T = [23; 1; 1; (5,19); 7, 4 ].Select d = 4, so Q = 4 (5, 19). (13, 16). Alice’s public key is PubA = Q = (13, 16) and her private key is PrivA = 4.
Slide41Let T = (
p; a; b; G; n; h
) and
be Alice’s public key.
Alice deciphers the message by
Multiplying her private key
Priv
A by (PrivB . G). Subtracting the above result from M + PrivB . PubA.
ECC ElGamal Encryption
Alice
Bob
T and Pub
A
do not need to be secret.
Bob selects a random number as his private key and generates his public key using the same elliptic curve and G point.
Bob enciphers the message,
M
, by doing CM = [{PrivB* G}, {M + PrivB*PubA }]
Bob sends his PubB and cipher message to Alice.
C
M
, PubB
C
M = [{PrivB* G}, {M + PrivB*PubA }]M = {M + PrivB * Pub
A } – { PrivA * PrivB * G}Since PubA = PrivA * G, then,
M = {M + PrivB
* (PrivA . G)} – { PrivA * (PrivB * G)}
Slide42Let T = [
23; 1; 1; (5,19); 7; 4
] and select 4 as the Priv
A
,
as the public key.
Alice deciphers the message byMultiplying her private key 4 by (18,11) = (5, 4).Subtracting the above result from (17, 20)M = (17,20) – (5, 4)
M = (17,20) + (5, -4) = (8, 20)ECC ElGamal Encryption
Alice
Bob
T and Pub
A
do not need to be secret
Bob selects 4 as his private key.
The message is the point (8,20).Bob enciphers the message byCM = [{5*(5, 19)}, {(8, 20) + 5* (13, 16)}] Bob sends his PubB
and cipher messageCM
= [(17, 20), (18,11)] to Alice.
CM, Pub
B
Note: The cofactor h =4 in T is not related to the Priv
A
, which was selected at random and happens to be 4, also.
Slide43Diffie-Hellman Key Exchange System
Alice and Bob convert the shared secret value
z
to an octet string
Z
and use
Z
as the shared secret key for symmetric encryption algorithms to secure their communications.
T = (p; a; b; G; n; h)PrivA = Random large prime integer
T = (p; a; b; G; n; h),
does not need to be secret.Alice
BobT = (p; a; b; G; n; h)PrivB = Random large prime integer
Sender and receiver agree on the same domain parameters.
Slide44Diffie-Hellman Key Exchange System
T =
[
23; 1; 1; (5,19); 7; 4
]
Alice
Bob
T =
[
23; 1; 1; (5,19); 7; 4
]
Note: The cofactor h =4 in T is not related to the Priv
A
, which was selected at random and happens to be 4, also.
Slide45T = (
p; a; b; G; n; h
) and
is Alice’s public key.
Selects a random integer
Computes
Computes
Computes
The signature for the message m is the pair of integers (r, s). ECCDSA Signature Generation
Alice
Bob
T and Pub
A
do not need to be secret.
Verifies Alice’s signature
(
r, s
) on the message m as follows:
Computes
H(m) andComputesComputes
Accepts the signature if
v = r.
(r, s)
Slide46Let
T =
[
23; 1; 1; (5,19); 7; 4
] and
Select
k = 3ComputeCompute
ComputeThe signature for the message m is the pair of integers (r, s), (6, 2). ECCDSA Signature Generation
Alice
Bob
Bob verifies Alice’s signature
(6
, 2
) on the message m as follows:
Compute H(m) andCompute
ComputeComputeAccept the signature because
v = 6 mod 7 =
r .
Slide47Cipher Suite
There are many algorithms that can be used for encryption, key exchange, message digest, and authentication; the level of security for each of these algorithms varies. Establishing a connection between two entities requires that they tell each other what crypto algorithms they understand. Normally one of the entities involved in the communication proposes a list of algorithms, and the other entity selects the algorithms supported by both. The selected algorithms may not have matching levels of security, reducing the overall security of the communication.
A cipher suite is a collection of cryptographic algorithms that matches the level of security of all the algorithms listed in the cipher suite. To enable secure communications between two entities, they exchange information about which cipher suites they have in common, and they then use the cipher suite that offers the highest level of security.
Slide48To Probe Further
Hankerson, D., Meneses, A., Vanstone S. (2004).
Guide to Elliptic Curve Cryptography
. New York: Springer-Verlag.
Blake, I., Seroussi G., Smart, N. (1999).
Elliptic Curves in Cryptography.
Cambridge, United Kingdom: Cambridge University Press.
Rosing, M. (1999). Implementing Curve Cryptography. Greenwich, CT: Manning Publications. Lopez, J., Dahab, R., An overview of Elliptic Curve Cryptography, Institute of computting , State University of Campinas, sao Paulo Brazil, may 2, 2000. (Retrieved September 26, 2003 from http://citeseer.nj.nec.com/lop00overview.html)Brown, M., Cheung, D., Hankerson, D., Lopez, J., Kirkup, M., Menezes, A., PGP in Constrained Wireless Devices, Proceedings of the 9th USENIX Security Symposium, August 2000.Certicom Research, Standard for Efficient Cryptograph (SEC 1): Elliptic Curve Cryptograph, September 20, 2000. (Retrieved September 26, 2003 from
http://www.secg.org/secg_docs.htm)Certicom Research, Current Public-Key Crypto Systems, April 1997. (Retrieved on September 20, 2000 from ) Cryptomathic, Ellipt Curve Online Key Generation athttp://www.cryptomathic.com/labs/ellipticcurvedemo.html#Key-GenerationCerticom Elliptic Curve Tutorial at http://www.certicom.com/index.php?action=ecc,ecc_tutorialIEEE P1363, Standard Specifications for Public key Cryptography, draft 2000