Algorithms draftmcgrewfundamentalecc02 mcgrewcisco com kmigoensagov Elliptic Curve Cryptography Alternative to integerbased Key Exchange and Signature algorithms Smaller keys and signatures ID: 786751
Download The PPT/PDF document "Fundamental Elliptic Curve Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Fundamental Elliptic Curve Cryptography Algorithmsdraft-mcgrew-fundamental-ecc-02
mcgrew@cisco.
com
kmigoe@nsa.gov
Slide2Elliptic Curve CryptographyAlternative to integer-based Key Exchange and Signature algorithmsSmaller keys and signaturesMore efficient at higher security levels
Slide3Diffie HellmanAlice
Bob
x
=
random
g
x
mod
p
g
y
mod p
y = random
(
gx)y mod p
(gy)x mod p
=
g
is number <
p
Slide4EC Diffie HellmanAlice
Bob
x
=
random
g
x
g
y
y
=
random
(
gx)y(
gy)x
=
g
is element of EC group
G
Slide5Cryptographic GroupsPrime GroupElement is number x
<
p
Prime
modulus
p
Generator
g < pO
rder n
EC GroupElement is (
x, y) with x, y < p
with y
2 = x3 + ax + b mod
p Prime modulus pParameters a,
b < pGenerator (gx,
gy)
Order n
ECC Parameter Set
Slide6Public Key Sizes
From RFC3766
,
Determining
Strengths For
Public Keys Used For
Exchanging Symmetric Keys
30x
Slide7ECC Efficient at High Security
Security
Computational
Cost
ECC
Integer
Slide8fECCdraft-mcgrew-fundamental-ecc
Informational
First
published 7/
09
Comments received and incorporated in -
02
Closely based on pre-1994 referencesSecurity: survived > 16 years of review
IPR: simplifies analysis
Slide9Timeline
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
…
…
ECC invented
ECDH
[M1985]
EC
ElGamal
[K1987]
ECC
I
mplementation
[BC1989]
Homogeneous Coordinates
[KMOV1991]
EC
ElGamal
Signatures
[A1992]
Meta
ElGamal
Signatures
[HMP1994]
Abbreviated
EC
ElGamal
Signatures
[KT1994]
Slide10Layers
Crypto Algorithms
Elliptic Curve Arithmetic
Modular Arithmetic
Key Exchange, Signatures
Coordinates, Representation
+, -, *, /
fECC
Scope
Slide11fECC Diffie-HellmanMiller 1985Compatible with IKE (
RFC 4753
)
Compatible with ECDH (IEEE 1363, ANSI X9.62)
Curves
over
GF(
p) with cofactor=1ECSVDP-DH primitive
Key Derivation Function is identity function
Slide12fECC SignaturesKoyama and Tsuruoka, 1994Horster,
Michels
,
and Petersen, 1994
KT
-IV
Signatures
Compatible with ECDSA (IEEE 1363, ANSI X9.62)KT-I SignaturesNot interoperable with standard
Slide13ECC Parameter SetsCompatibleSuite BUSG Cryptographic Interoperability Strategy
Uses NIST P256
, P384, P521
Other NIST
curves over
GF(
p
)RFC 5639 Elliptic Curve Cryptography (ECC) Brainpool Standard Curves and Curve GenerationWAPI
ISO/IEC JTC 1/SC 6 ProposalNot compatible
DJB’s Curve25519 protocol
Slide14Not in ScopeEC Group Parameter GenerationIdentity-based cryptoEdwards’
coordinates
GF(2
m
) curves
Mod
p
arithmetic optimizationsCertificate detailsExotic groups (hyperelliptic, braids, …)…
Slide15Possible Future DraftsOptimizationsModular arithmeticEfficient primesElliptic Curve arithmetic
Priority: preserve interoperability
and
compatibility with standards
Slide16ConclusionsDraft ready for RFCECC deserves serious considerationfECC is secure and performs wellRecommendation:
IETF
work using ECC should
explicitly allow
fECC
…
implementations MAY
use [fECC]
…
Slide17Questions?
Slide18(x3,y3) = (x1,y1) × (x2,y2) x3 = ((y2-y1)/(x2-x1))2
- x1
– x2
y3
= (x1-x3
)(
y2-y1)/(x2-x1)
– y1
Slide19A Group
×
1
2
3
4
5
6
1
123
456
2
246
1353
362
51
4441
5263
5
53
1642
6
6
5
4
3
2
1
5, 5
2
=4, 5
3
=6, 5
4
=2, 5
5
=3, 5
6
=1
Multiplication modulo 7