Key Management and Elliptic Curves Key Management Distribution of ublic Keys ublic-key Distribution of Secret Keys Diffie-Hellman Key Echange Elliptic Curves Mathematical foundations Elliptic curves over real numbers, Z p, and GF(2 m ) Key echange using Elliptic Curve Cryptography Elliptic Curve Encryption/Decryption Security of Elliptic Curve Cryptography
ublic Announcement of ublic Keys Announcing your key to the world This is what is done by G (pretty good privacy) Weakness: someone can pretend to be you, announce a public key (knowing the private key), and then receive all encrypted email sent by others and intended for you We need to look at other approaches with more security
ublicly Available Directory Steps in the process Register your name and public key with the directory Authentication occurs at this time The user can replace the public key at any time The entire directory is published periodically Access to the directory can be done electronically This is more secure, but improvements are possible
ublic-key Authority - 1 Steps in the process 1. Send a request to the public key authority for the current public key of user B 2. The authority sends a response using its private key; the user is able to decrypt using the authority s public key; the response will include B s public key, the original request and the original timestamp 3. Store B s public key and send an encrypted message that includes your identifier and a nonce 4. User B gets your public key using steps 1 and 2 5. B replies by sending A s nonce as well as a new nonce 6. Return B s nonce to ensure the channel is secure
ublic-key Authority - 2
ublic-key Certificates - 1 Using an authority is time consuming; an alternative approach is to use certificates We now have a certificate authority 1. Any participant can read a certificate determining the name and public key of the owner 2. Any participant can determine the info originated from the certificate authority 3. Only the certificate authority can update certificates 4. Any participant can determine the currency of the certificate Users can simply echange certificates to share their public keys
ublic-key Certificates - 2
Try to Answer the Questions Asked How can any participant determine the information originated from the certificate authority? How does the timestamp help eliminate forgery?
Simple Secret Key Distribution - 1 Suppose users A and B want to echange a secret key User A generates a public key and private key and contacts B User B generates a secret key and transmits it to A, encrypted with A s public key A decrypts the message to recover the secret key All public/private keys are discarded and communications proceeds using the secret key and symmetric encryption The risk seems minimal since the echange of a secret key happens quickly
Simple Secret Key Distribution - 2 If there is an active attack by an eavesdropper E, the following sequence may occur User A generates a public key and private key and contacts B User E intercepts this message, creates another public key and private key and transmits the public key and A s identity to B User B generates a secret key and transmits it to A, encrypted with A s public key User E intercepts this message and learns the secret key E transmits the secret key to A and proceeds to listen in on all subsequent messages What is lacking here is authentication that messages really come from the epected source and not an eavesdropper
Distribution with Confidentiality & Authentication We assume that A and B have echanged public keys by one of the schemes outlined earlier A uses B s public key to encrypt and transmit A s identifier and a nonce N 1 that is used to identify this transmission B sends A a message encrypted with A s public key that contains N 1 and a new nonce N 2 generated by B A returns N 2 encrypted to assure B that the message came from A A sends B a secret key encrypted using B s public key, so only B can read it, and A s private key so B can insure the message came from A B can apply decryption to recover the secret key
A ictorial View The information echange to insure confidentiality and authenticity is shown below
How it works A Hybrid Scheme A public key distribution center (KDC) shares a secret master key with each user Secret session keys are shared encrypted with the master key Advantages of this approach erformance is improved in applications that require frequent session key echanges ublic key encryption is only used occasionally to update the master key This approach is easily overlaid on an eisting KDC scheme
The Diffie-Hellman Key Echange This is the first published public key algorithm This approach is only used to echange a secret key Security is based on the difficulty of computing discrete logarithms Here is some mathematical background For prime p we find a primitive root, we call it a For an integer b we find the eponent i such that b a i mod p where 0 <= i <= (p-1) i is the inde, namely ind a,p (b)
Steps in the Calculation - A prime q and α, a primitive root of q, are known - User A selects a random integer X A < q and computes Y A = α X A mod q; similarly user B selects a random integer X B < q and computes Y B = α X B mod q - Each side keeps its X value private and make the Y value public - User A computes K = (Y B ) X A mod q - User B computes K = (Y A ) X B mod q - These calculations produce the same secret key - Attacking the secret of user B, the opponent must compute X B = ind α,q (Y B ) - Security lies in the difficulty in calculating discrete logarithms
The Algorithm
A Sample Calculation Suppose q = 353 and primitive root α = 3. A and B select secret keys X A = 97 and X B = 233. Each computes a public key Y A = 3 97 mod 353 = 40 Y B = 3 233 mod 353 = 248 After echanging public keys, A and B each computes the secret key for symmetric encryption K = (Y B ) X A mod 353 = 248 97 mod 353 = 160 K = (Y A ) X B mod 353 = 40 233 mod 353 = 160 The attacker knows q = 353, α = 3, Y A = 40 and Y B = 248 and must solve 3 a mod 353 = 40 or 3 b = mod 353 = 248; for large values this is very hard
Steps in the rocess Here is a communications protocol Of course, this protocol is symmetric, B could initiate the echange
Group Work Given q = 71 and primitive root α = 7 Suppose X A = 5, what is A s public key? Suppose X B = 12, what is B s public key? What is the shared private key?
Elliptic Curve Arithmetic Use of RSA and problems with RSA RSA is very widely used so codebreakers have concentrated on breaking this scheme To insure security keys have become larger and larger making it more computationally intensive Elliptic Curve Cryptography (ECC) Beginning to challenge the dominance of RSA ECC offers equal security to RSA with smaller keys Confidence in ECC is not as high as RSA since codebreakers have not probed its weaknesses Security in ECC depends on the difficulty of solving the discrete logarithm problem
Abelian Groups Remember of definition of abelian groups What is closure? What is associativity? What is an identity element? What are inverse elements? What is commutativity? In Diffie-Hellman keys are generated by eponentiation (repeated multiplication) In ECC keys are generated by multiplication (repeated addition)
Elliptic Curves over Real Numbers Elliptic curve equations In general, y 2 + ay + by = 3 + c 2 + d + e We consider, y 2 = 3 + a + b, to plot this curve we need to compute y = 3 + a + b On the net two slides we show two sample elliptical curves where we specify curves by E(a,b) We also have to include the element O, the point at infinity (also known as the zero point) The first curve is E(-1,0), namely y 2 = 3 The second curve is E(1,1), namely y 2 = 3 + + 1
An Eample Curve E(-1,0)
Another Curve E(1,1)
Geometric Description of Addition E(a,b) defines a group provided there are no repeated factors, this requires 4a 3 + 27b 2 0 Addition of points and Q O, the infinity point, is the additive identity If has coordinates (,y) then is at (,-y) To add and Q, connect them with a line, the third point of intersection is R = (+Q) This is true for Q itself, Q + -Q = O To add a point to itself, Q + Q = 2Q is the point where the tangent line intersects the curve
Algebraic Description of Addition is the slope of the line connecting and Q = (y y Q )/( Q ) R = 2 - Q y R = - y + ( R ) Suppose that + = R R y a 2 2 3 2 2 + = R R y y a y + = ) ( 2 3 2
Group Work Consider the curve y 2 = 3 36 over real numbers Let = (-3.5, 9.5) and Q = (-2.5, 8.5), find + Q Find 2
Our sample curve Elliptic Curves over Z p y 2 mod p = ( 3 + a + b) mod p one solution: a = 1, b = 1, = 9, y = 7, p = 23 Finding more points If p = 23, a = 1, b = 1, the curve is E 23 (1,1) The net slide shows the points that satisfy the equation, including the (9,7) above A plot of these points is also shown Notice that the points (ecept for one) are symmetric about the line y = 11.5
Elliptic Curve E 23 (1,1)
Group Work - 1 Given E 11 (1,6) defined by y 2 = 3 + + 6 Find all points by calculating the right hand side for all values of
A Sample Calculation - 1 Additive inverse + - = O, let = (13,7), - = (13,-7) = (13,16) why? Addition = + = = = Q if p y a Q pif y y p y y p Q Q R R Q R mod 2 3 mod ) mod ) ( ( ) mod ( 2 2 λ λ λ
A Sample Calculation - 2 Multiplication: 4 = + + + An eample of simple addition y R λ = R = (3,10) and 7 10 = mod 23 = 9 3 = (11 2 3 9) mod 23 (11(3 17) 10) mod 23 Q 6 3 = (9,7) mod 23 = 109mod 23 = 11 = 17 = 164 mod 23 = 20
Group Work - 2 Given E 11 (1,6) defined by y 2 = 3 + + 6 Give G = (2, 7) find multiples 2G to 13G
Elliptic curves over GF(2 m ) The basic equation is y 2 + y = 3 + a 2 + b if is (, y ) then is (, + y ) if Q is ( Q, y Q ) and ±Q then if R = 2 then + + = + + = + + + + = Q Q R R R Q R y y y y a λ λ λ λ ) ( 2 R R R y y a + = + + = + + = λ λ λ λ 2 2 1) (
Elliptic Curve Cryptography An Overview Given Q = k where Q, are in E p (a,b) and k < p It is relatively easy to calculate Q given k and It is difficult to determine k given Q and This is the discrete log problem for elliptic curves An eample calculation Let = (16,5) and Q = (4,5) in E 23 (9,7) defined by the equation y 2 mod 23 = ( 3 + 9 + 17) mod 23 To find k we can use a brute force approach: 2 = (20,20), 3 = (14, 14),, 9 = (4, 5) so k = 9 For large numbers this approach is impractical
Key Echange using Elliptic Curves Steps of the key echange Select a large integer q to define E q (a, b) The order n of a point G is the smallest positive integer n such that ng = O. ick a base point G in E q (a, b) with a very large order G and E q (a, b) are parameters known to all participants A selects n A < n its private key; A calculates public key A = n A G in E q (a, b) In a similar manner B selects n B and generates B A generates secret key K = n A B and B generates secret key K = n B A ; these values are equal
ECC Key Echange
A Numeric Eample The values and calculations = 211 in E p (0, -4) and G = (2, 2) One calculates 240 G = O A sets n A = 121 and A = 121(2, 2) = (115, 48) B sets n B = 203 and A = 203(2, 2) = (130, 203) The shared key is 121(130, 203) = 203(115, 48) = (161, 69)
Group Work Suppose we are using E 11 (1,6) Let G = (10,2) Suppose A selects n A = 5, find A s public key Suppose B selects n B = 7, find B s public key Show how both A and B find the secret key
Elliptic Curve Encryption/Decryption The initial calculations are similar to the key echange Select a large integer q to define E q (a, b) and a base point G in E q (a, b) with a very large order A selects n A, its private key, and calculates public key A = n A G in E q (a, b); B selects n B and calculates B To encrypt m and send to B, A selects a random positive integer k and generates the pair C m C m = (kg, m + k B ) B decrypts by multiplying the first point by B s secret key and subtracting the result from the second point m + k B n B (kg) = m
An Eample Calculation Give p = 751 and E p (-1, 188) The curve is y 2 = 3 + 188 Let G be (0, 376) Suppose the message m = (562, 201) A selects k = 386 and uses B = (201, 5) Calculating 386(0, 376) = (676, 558) And (562, 201) + 386(201, 5) = (385, 328) So A sends [(676, 558), (385, 328)]
Group Work Given E 11 (1,6), G = (2, 7) and n B = 7 Find B s public key B A wants to send m = (10, 9) and k = 3; find C m Show the calculations that let B recover m
Security of Elliptic Curve Cryptography ollard rho is the fastest method known to find discrete algorithms ECC can have the same level of security as RSA with smaller key sizes