Elliptic Curve Cryptography

Transcription

1 Elliptic Curve Cryptography Cryptography is the science of securely transmitting information such that nobody but the intended recipient may understand its contents. Cryptography has existed in some form since ancient times, when couriers carried military information on foot; the generals who sent them needed to ensure that even if the messenger were captured the information would not fall into the wrong hands. For example, the Caesar cipher, named after the eponymous emperor, simply shifted each letter in a message by a fixed amount. Of course, any interceptor who knew the trick could easily decode the transmission. By modern standards, such a cryptosystem, or algorithm for transmitting data (hopefully with some measure of security), is horribly insecure. Most cryptosystems used these days are some form of public-key cryptosystems, clever ways of transmitting information between two parties without relying on any secret that they needed to agree on beforehand (like the amount to shift the letters for a Caesar cipher). Consider a simple example cryptosystem called the one-time pad. Suppose Alice wants to send a secret message to Bob, and suppose that beforehand Alice and Bob have agreed on a random binary string called their secret key, say To send a message to Bob, Alice first takes her message and encodes it in binary; say her message is Alice then XORs her message with the secret key to obtain the ciphertext and sends the result to Bob. Bob can then recover the message by XORing the ciphertext with the original secret key Note that any eavesdropper, call her Eve, only sees the ciphertext. Because the secret key was a random binary string, the XOR of it with any single message is also a random binary string, meaning that Eve obtains no information whatsoever from the ciphertext. This cryptosystem is then said to be perfectly secure. Unfortunately, the one-time pad is effectively the only perfectly secure cryptosystem, meaning this definition of security is not very interesting or useful. From now on, we will call a cryptosystem secure if an eavesdropper is unable to recover the original message in reasonable computational time, here taken to be polynomial time in the length of the input. The definition suggests we look for one-way functions, functions which are computationally easy to compute but computationally difficult to invert, except by using a backdoor built into the function. This backdoor corresponds to the use of the private key by the recipient of the message; using a backdoor should be computationally easy. So if f is a one-way function and m is the (encoded in binary, say) message, then computing f(m) should be fast but computing f 1 (c) should be difficult for any ciphertext c = f(m). One implementation of an elliptic curve cryptosystem comes from the Massey- Omura system [5]. Let E be a fixed elliptic curve over a finite field F p k and suppose 1

2 N = E. That is, for any point P E, P added to itself N times produces the identity (the point at infinity); NP = id, where the notation nq for integer n and point Q E means the n-fold addition of Q with itself. To transmit message m to Bob, Alice first represents m as a point X 0 on the elliptic curve E. There exist many such easy-to-compute invertible mappings (with easy-to-compute inverses) from the space of messages to the set of points on E; one must be publicly decided upon by Alice and Bob beforehand. Alice now chooses a random integer 0 < c < N with gcd(c, N) = 1 and sends Bob cx 0. Bob chooses another random integer 0 < d < N with gcd(d, N) = 1 and adds the point he received to itself d times, yielding d(cx 0 ), and sends the result to Alice. Since gcd(c, N) was 1, Alice may compute c 1 mod N; Alice then sends Bob c 1 (d(c(x 0 ))). Finally, Bob similarly calculates d 1 and computes d 1 (c 1 (d(cx 0 ))). Figure 1: The group law, defined by point addition, of elliptic curves (figure from [7]). The point at infinity is the identity for this operation. Clearly for this cryptosystem to work d 1 (c 1 (d(cx 0 ))) must equal X 0. From the definition, d 1 (c 1 (d(cx 0 ))) = (c 1 c)(d 1 d)x 0 But c 1 c = kn + 1 and d 1 d = mn + 1, so this is (kn + 1)(mN + 1)X 0. 2

3 Since NX 0 = id, the identity of the elliptic curve group law, this quantity is simply X 0, so Bob has recovered X 0 and hence the original message (as the encoding of messages to points was invertible). Another implementation of an elliptic curve cryptosystem obviates the need to know the order of the elliptic curve. In the ElGamal system, Alice and Bob agree beforehand on some fixed point Y E. This time Bob begins by choosing a random integer a and sending dy to Alice. To send a message encoded as point X 0 to Bob, Alice chooses a random integer 0 < c < N and sends both cy and X 0 +c(dy ) to Bob. Using the first of these data Bob may compute d(cy ) = cdy, and by subtracting this from the latter Bob can find X 0 + cdy cdy = X 0. We now turn to the security of these and other similar elliptic curve cryptosystems. Intuitively, either of these cryptosystems is based on the difficulty of finding X 0 solely from multiples of X 0. For example, in the Massey-Omura system an eavesdropper Eve would have the points cx 0, dcx 0, and c 1 dcx 0 = dx 0. This suggests the definition of the following problem: Problem 1 Elliptic Curve Discrete Log Problem (ECDLP) Given P, Q E points on an fixed elliptic curve over a finite field with the condition that Q = kp for some integer k, determine k. Breaking either elliptic curve cryptosystem in the general case is equivalent to solving this problem (for general P, Q, and E, and again with the underlying assumption of a reasonable computational bound). For example, if one could solve the ECDLP (in reasonable time), then given cx 0 and dcx 0, an attacker Eve could find the integer d. From this Eve could compute d 1 mod N, and find X 0 from d 1 (dx 0 ) = X 0, recovering the message. Note that the above cryptosystems require the computation of large multiples of points P E. Because parameters must be chosen such that the requisite computation of multiples of points is computationally fast (in polynomial time, say) while still making brute-force guess-and-check infeasible for finding k in the ECDLP, we require a faster way to compute large powers of points. Fortunately such an algorithm exists; by repeatedly adding a point P to itself, one may compute 2 k P using only k point additions. More generally, to compute 2 n P for any n, one need only write n in binary, maintaining the current point (initially equal to id). For each binary digit in n starting from the left (the most significant digit), add the current point to itself, and add P as well to the current point if the digit is 1. For example to compute 2 25 P, where 25 = first begin with id; then reading digits from left to right, double-and-add, double-and-add, double, double, and double-and-add, obtaining P, 3P, 6P, 12P, and finally 25P. Each digit corresponds to at most two additions, meaning 2 n P can be computed in O(log n) individual point additions. Hence if N = E is chosen to be 3

4 sufficiently large, the ECDLP is infeasible to solve by brute-force while multiples of points may be computed quickly. Currently it is unknown if the ECDLP is actually not solvable in sub-exponential time. Since elliptic curve cryptography s inception in 1985 [2], it has been adopted to a limited extent commercially. Some limited attacks on elliptic curve cryptosystems have been developed; they do not solve the ECDLP (in reasonable time) in general however, only for specific classes of elliptic curves. For example anomalous elliptic curves, those over F p that have exactly p rational points, are weak cryptographically; for this class of elliptic curves, the ECDLP can be quickly solved [8]. For other elliptic curves, an adaptation of the Pollard rho method used in the factorization of integers can run in polynomial time, solving the ECDLP in computationally feasible time [9]. The SEC (Standards for Efficient Cryptography) has published a list of elliptic curve domain parameters (choices of relevant constants) that appear secure against all known cryptographic attacks [10]. Elliptic curve cryptography shares much in common with the more traditional RSA method; both public key systems rely on the infeasibility of solving some computational problem in sub-exponential time. However, despite being less used elliptic curve cryptography offers benefits in speed of computation. To achieve comparable security to that offered by a symmetric key (a key known by both parties, as in the one-time pad above) size of 80 bits, the National Institute of Standards and Technology suggests a key size for RSA of 1024 bits while only 160 bits for an elliptic curve cryptosystem [2]. Requiring more security only accentuates this advantage of elliptic curve cryptography over the RSA method; to achieve equivalent security to that offered by a symmetric key of 256 bits, one must use a RSA key of bits but an elliptic curve cryptography key of only 521 bits. While this difference may appear small on most computers, it is significant for low-power electronics such as handheld devices (smartphones and Blackberries, for example) [1]. On the PalmPilot, finding an acceptable 1024-bit RSA public key requires 42 seconds, while finding an equivalently secure elliptic curve cryptography key requires only around 3 [1]. Indeed a movement is underway to develop standards for elliptic curve cryptography and better integrate it into software (such as browsers), especially in the mobile market [3]. As computers become more powerful, stronger cryptography becomes more necessary to protect the security of online transactions such as account verification and banking. RSA keys as long as 768 bits have been factored [11], necessitating more efficient algorithms for constructing and processing secure public keys. Elliptic curve cryptography is one such method that promises significantly shorter key lengths for equivalent measures of security, giving it an advantage over more traditional cryp- 4

5 tosystems. Especially for application to computing devices with low computational power, such as many mobile phones and handheld devices, elliptic cryptography will likely allow its users to achieve greater levels of cryptographic security than before available. 5

6 Bibliography [1] Dan Boneh, Review of SEC1: Elliptic Curve Cryptography Standards for Efficient Cryptography [2] curve.shtml [3] [4] key exchange [5] Neal Koblitz, Elliptic Curve Cryptosystems Mathematics of Computation, Jan Volume 48, Number 177, Pages [6] curve cryptography [7] Anoop MS, Elliptic Curve Cryptography An Implementation Guide, [8] Leprévost, Monnerat, Varrette, and Vaudenay, Generating Anomalous Elliptic Curves Information Processing Letters, Volume 93, Pages , Elsevier, 2005 [9] sdg/ecc.html [10] Certicom Research, SEC 2: Recommended Elliptic Curve Domain Parameters Standards for Efficient Cryptography, Sept. 20, 2000, Version 1.0 [11] 6