Elliptic Curve Cryptography

Similar documents
CPSC 467: Cryptography and Computer Security

This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest

Key Management and Distribution

CPSC 467: Cryptography and Computer Security

Lecture 1: Perfect Security

Abhijith Chandrashekar and Dushyant Maheshwary

Introduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption

RSA. Public Key CryptoSystem

Cryptography and Network Security

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Uzzah and the Ark of the Covenant

Chapter 7 Public Key Cryptography and Digital Signatures

CS 161 Computer Security

ISA 562: Information Security, Theory and Practice. Lecture 1

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Elliptic Curve Cryptography

Cryptography and Network Security Chapter 10. Fourth Edition by William Stallings

Public Key Cryptography

CPSC 467b: Cryptography and Computer Security

COMP4109 : Applied Cryptography

CPSC 467: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

Understanding Cryptography by Christof Paar and Jan Pelzl. Chapter 9 Elliptic Curve Cryptography

Prime Field over Elliptic Curve Cryptography for Secured Message Transaction

Quantum Encryption Keys

CPSC 467b: Cryptography and Computer Security

Elliptic Curve Public Key Cryptography

Classic Cryptography: From Caesar to the Hot Line

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Public Key Cryptography and RSA

Algorithms (III) Yijia Chen Shanghai Jiaotong University

10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem

Public Key Cryptography and the RSA Cryptosystem

Public Key Cryptography

Other Topics in Cryptography. Truong Tuan Anh

Network Security. Chapter 4 Public Key Cryptography. Public Key Cryptography (4) Public Key Cryptography

Cryptography. Lecture 03

Overview. Public Key Algorithms I

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Algorithms (III) Yu Yu. Shanghai Jiaotong University

Cryptography Worksheet

Senior Math Circles Cryptography and Number Theory Week 1

CSC 474/574 Information Systems Security

Cryptography Introduction to Computer Security. Chapter 8

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

n-bit Output Feedback

PUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA

Public Key Algorithms

Public Key Encryption

Lecture 2. Cryptography: History + Simple Encryption,Methods & Preliminaries. Cryptography can be used at different levels

CS 161 Computer Security

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Lecture IV : Cryptography, Fundamentals

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security

2 What does it mean that a crypto system is secure?

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Chapter 9. Public Key Cryptography, RSA And Key Management

ECC Elliptic Curve Cryptography. Foundations of Cryptography - ECC pp. 1 / 31

IMPORTANCE OF NUMBER THEORY IN CRYPTOGRAPHY

Introduction to Elliptic Curve Cryptography

Public Key Algorithms

Public-Key Cryptography

B) Symmetric Ciphers. B.a) Fundamentals B.b) Block Ciphers B.c) Stream Ciphers

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Public Key Cryptography. Toni Bluher Women and Mathematics Program Lecture 2 May 22, 2018

An overview and Cryptographic Challenges of RSA Bhawana

RSA (algorithm) History

CSE 127: Computer Security Cryptography. Kirill Levchenko

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Algorithms (III) Yijia Chen Shanghai Jiaotong University

Cryptography (DES+RSA) by Amit Konar Dept. of Math and CS, UMSL

Public-key encipherment concept

CS669 Network Security

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

Implementation and Benchmarking of Elliptic Curve Cryptography Algorithms

The most important development from the work on public-key cryptography is the digital signature. Message authentication protects two parties who

Elliptic Curve Cryptography

CPSC 467: Cryptography and Computer Security

Secure Multiparty Computation

Public Key Algorithms

Behrang Noohi. 22 July Behrang Noohi (QMUL) 1 / 18

A FAST AND EFFICIENT CRYPTOSYSTEM FOR RESOURCE CONSTRAINED NETWORKS

Computational Security, Stream and Block Cipher Functions

Chapter 9 Public Key Cryptography. WANG YANG

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

RSA Cryptography in the Textbook and in the Field. Gregory Quenell

Part VI. Public-key cryptography

A Tour of Classical and Modern Cryptography

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Cryptography BITS F463 S.K. Sahay

CPSC 467b: Cryptography and Computer Security

An IBE Scheme to Exchange Authenticated Secret Keys

Lecture 2: Secret Key Cryptography

2.1 Basic Cryptography Concepts

Key Exchange. Secure Software Systems

Computer Security 3/23/18

Transcription:

Elliptic Curve Cryptography Cryptography is the science of securely transmitting information such that nobody but the intended recipient may understand its contents. Cryptography has existed in some form since ancient times, when couriers carried military information on foot; the generals who sent them needed to ensure that even if the messenger were captured the information would not fall into the wrong hands. For example, the Caesar cipher, named after the eponymous emperor, simply shifted each letter in a message by a fixed amount. Of course, any interceptor who knew the trick could easily decode the transmission. By modern standards, such a cryptosystem, or algorithm for transmitting data (hopefully with some measure of security), is horribly insecure. Most cryptosystems used these days are some form of public-key cryptosystems, clever ways of transmitting information between two parties without relying on any secret that they needed to agree on beforehand (like the amount to shift the letters for a Caesar cipher). Consider a simple example cryptosystem called the one-time pad. Suppose Alice wants to send a secret message to Bob, and suppose that beforehand Alice and Bob have agreed on a random binary string called their secret key, say 10010101. To send a message to Bob, Alice first takes her message and encodes it in binary; say her message is 01110011. Alice then XORs her message with the secret key to obtain the ciphertext 11100110 and sends the result to Bob. Bob can then recover the message by XORing the ciphertext with the original secret key 10010101. Note that any eavesdropper, call her Eve, only sees the ciphertext. Because the secret key was a random binary string, the XOR of it with any single message is also a random binary string, meaning that Eve obtains no information whatsoever from the ciphertext. This cryptosystem is then said to be perfectly secure. Unfortunately, the one-time pad is effectively the only perfectly secure cryptosystem, meaning this definition of security is not very interesting or useful. From now on, we will call a cryptosystem secure if an eavesdropper is unable to recover the original message in reasonable computational time, here taken to be polynomial time in the length of the input. The definition suggests we look for one-way functions, functions which are computationally easy to compute but computationally difficult to invert, except by using a backdoor built into the function. This backdoor corresponds to the use of the private key by the recipient of the message; using a backdoor should be computationally easy. So if f is a one-way function and m is the (encoded in binary, say) message, then computing f(m) should be fast but computing f 1 (c) should be difficult for any ciphertext c = f(m). One implementation of an elliptic curve cryptosystem comes from the Massey- Omura system [5]. Let E be a fixed elliptic curve over a finite field F p k and suppose 1

N = E. That is, for any point P E, P added to itself N times produces the identity (the point at infinity); NP = id, where the notation nq for integer n and point Q E means the n-fold addition of Q with itself. To transmit message m to Bob, Alice first represents m as a point X 0 on the elliptic curve E. There exist many such easy-to-compute invertible mappings (with easy-to-compute inverses) from the space of messages to the set of points on E; one must be publicly decided upon by Alice and Bob beforehand. Alice now chooses a random integer 0 < c < N with gcd(c, N) = 1 and sends Bob cx 0. Bob chooses another random integer 0 < d < N with gcd(d, N) = 1 and adds the point he received to itself d times, yielding d(cx 0 ), and sends the result to Alice. Since gcd(c, N) was 1, Alice may compute c 1 mod N; Alice then sends Bob c 1 (d(c(x 0 ))). Finally, Bob similarly calculates d 1 and computes d 1 (c 1 (d(cx 0 ))). Figure 1: The group law, defined by point addition, of elliptic curves (figure from [7]). The point at infinity is the identity for this operation. Clearly for this cryptosystem to work d 1 (c 1 (d(cx 0 ))) must equal X 0. From the definition, d 1 (c 1 (d(cx 0 ))) = (c 1 c)(d 1 d)x 0 But c 1 c = kn + 1 and d 1 d = mn + 1, so this is (kn + 1)(mN + 1)X 0. 2

Since NX 0 = id, the identity of the elliptic curve group law, this quantity is simply X 0, so Bob has recovered X 0 and hence the original message (as the encoding of messages to points was invertible). Another implementation of an elliptic curve cryptosystem obviates the need to know the order of the elliptic curve. In the ElGamal system, Alice and Bob agree beforehand on some fixed point Y E. This time Bob begins by choosing a random integer a and sending dy to Alice. To send a message encoded as point X 0 to Bob, Alice chooses a random integer 0 < c < N and sends both cy and X 0 +c(dy ) to Bob. Using the first of these data Bob may compute d(cy ) = cdy, and by subtracting this from the latter Bob can find X 0 + cdy cdy = X 0. We now turn to the security of these and other similar elliptic curve cryptosystems. Intuitively, either of these cryptosystems is based on the difficulty of finding X 0 solely from multiples of X 0. For example, in the Massey-Omura system an eavesdropper Eve would have the points cx 0, dcx 0, and c 1 dcx 0 = dx 0. This suggests the definition of the following problem: Problem 1 Elliptic Curve Discrete Log Problem (ECDLP) Given P, Q E points on an fixed elliptic curve over a finite field with the condition that Q = kp for some integer k, determine k. Breaking either elliptic curve cryptosystem in the general case is equivalent to solving this problem (for general P, Q, and E, and again with the underlying assumption of a reasonable computational bound). For example, if one could solve the ECDLP (in reasonable time), then given cx 0 and dcx 0, an attacker Eve could find the integer d. From this Eve could compute d 1 mod N, and find X 0 from d 1 (dx 0 ) = X 0, recovering the message. Note that the above cryptosystems require the computation of large multiples of points P E. Because parameters must be chosen such that the requisite computation of multiples of points is computationally fast (in polynomial time, say) while still making brute-force guess-and-check infeasible for finding k in the ECDLP, we require a faster way to compute large powers of points. Fortunately such an algorithm exists; by repeatedly adding a point P to itself, one may compute 2 k P using only k point additions. More generally, to compute 2 n P for any n, one need only write n in binary, maintaining the current point (initially equal to id). For each binary digit in n starting from the left (the most significant digit), add the current point to itself, and add P as well to the current point if the digit is 1. For example to compute 2 25 P, where 25 = 11001 2 first begin with id; then reading digits from left to right, double-and-add, double-and-add, double, double, and double-and-add, obtaining P, 3P, 6P, 12P, and finally 25P. Each digit corresponds to at most two additions, meaning 2 n P can be computed in O(log n) individual point additions. Hence if N = E is chosen to be 3

sufficiently large, the ECDLP is infeasible to solve by brute-force while multiples of points may be computed quickly. Currently it is unknown if the ECDLP is actually not solvable in sub-exponential time. Since elliptic curve cryptography s inception in 1985 [2], it has been adopted to a limited extent commercially. Some limited attacks on elliptic curve cryptosystems have been developed; they do not solve the ECDLP (in reasonable time) in general however, only for specific classes of elliptic curves. For example anomalous elliptic curves, those over F p that have exactly p rational points, are weak cryptographically; for this class of elliptic curves, the ECDLP can be quickly solved [8]. For other elliptic curves, an adaptation of the Pollard rho method used in the factorization of integers can run in polynomial time, solving the ECDLP in computationally feasible time [9]. The SEC (Standards for Efficient Cryptography) has published a list of elliptic curve domain parameters (choices of relevant constants) that appear secure against all known cryptographic attacks [10]. Elliptic curve cryptography shares much in common with the more traditional RSA method; both public key systems rely on the infeasibility of solving some computational problem in sub-exponential time. However, despite being less used elliptic curve cryptography offers benefits in speed of computation. To achieve comparable security to that offered by a symmetric key (a key known by both parties, as in the one-time pad above) size of 80 bits, the National Institute of Standards and Technology suggests a key size for RSA of 1024 bits while only 160 bits for an elliptic curve cryptosystem [2]. Requiring more security only accentuates this advantage of elliptic curve cryptography over the RSA method; to achieve equivalent security to that offered by a symmetric key of 256 bits, one must use a RSA key of 15360 bits but an elliptic curve cryptography key of only 521 bits. While this difference may appear small on most computers, it is significant for low-power electronics such as handheld devices (smartphones and Blackberries, for example) [1]. On the PalmPilot, finding an acceptable 1024-bit RSA public key requires 42 seconds, while finding an equivalently secure elliptic curve cryptography key requires only around 3 [1]. Indeed a movement is underway to develop standards for elliptic curve cryptography and better integrate it into software (such as browsers), especially in the mobile market [3]. As computers become more powerful, stronger cryptography becomes more necessary to protect the security of online transactions such as account verification and banking. RSA keys as long as 768 bits have been factored [11], necessitating more efficient algorithms for constructing and processing secure public keys. Elliptic curve cryptography is one such method that promises significantly shorter key lengths for equivalent measures of security, giving it an advantage over more traditional cryp- 4

tosystems. Especially for application to computing devices with low computational power, such as many mobile phones and handheld devices, elliptic cryptography will likely allow its users to achieve greater levels of cryptographic security than before available. 5

Bibliography [1] Dan Boneh, Review of SEC1: Elliptic Curve Cryptography Standards for Efficient Cryptography [2] http://www.nsa.gov/business/programs/elliptic curve.shtml [3] http://labs.oracle.com/projects/crypto/ [4] http://en.wikipedia.org/wiki/diffie%e2%80%93hellman key exchange [5] Neal Koblitz, Elliptic Curve Cryptosystems Mathematics of Computation, Jan. 1987 Volume 48, Number 177, Pages 203-209 [6] http://en.wikipedia.org/wiki/elliptic curve cryptography [7] Anoop MS, Elliptic Curve Cryptography An Implementation Guide, [8] Leprévost, Monnerat, Varrette, and Vaudenay, Generating Anomalous Elliptic Curves Information Processing Letters, Volume 93, Pages 225-230, Elsevier, 2005 [9] http://www.isg.rhul.ac.uk/ sdg/ecc.html [10] Certicom Research, SEC 2: Recommended Elliptic Curve Domain Parameters Standards for Efficient Cryptography, Sept. 20, 2000, Version 1.0 [11] http://www.rsa.com/rsalabs/node.asp?id=2093 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback