Title: http://www.cs.nctu.edu.tw/~rjchen/ECC2012S/
1????????
???? ????? ??? http//www.cs.nctu.edu.tw/rjch
en/ECC2012S/
2Outline
- 1 Discrete Logarithm Problem
- 2 Algorithms for Discrete Logarithm
- 3 Cryptosystems Based on DLP
- 4 Elliptic Curves
- 5 Elliptic Curve DLP
- 6 Signature Scheme ECDSA
- 7 How to find secure ECs?
- 8 Hyperelliptic Curves
- 9 ID-based Cryptosystems
- 10 Pairing-based Cryptography
31 Discrete Logarithm Problem
- Let G is a finite cyclic group of size n
generated by generator g, i.e. - G ltggt g i i 1, 2, , n
- or g i i 0, 1,
, n-1 - Given g and i, it is easy to compute gi by
repeated squaring - Discrete logarithm problem
- Given , find x such that
- We denote
4- Example 1G Z19 1, 2, , 18n18,
generator g 2 - then log214 7 log26 14
5- Example 2GGF(23) with irreducible poly.
p(x)x3x1GZn/p(x) 1, x, x2, 1x, 1x2,
xx2, - 1xx2 n7,
generator g x - then logx(x1) 3 logx(x2x1) 5
logx(x21) 6
6- Example 3Let p 105354628039501697530461658293395
87319488718149259134893426087342587178835751858673
00386287737705577937382925873762451990450430661350
85968269741025626827114728303489756321430023716636
91740666159071764725494700831131071381899212808840
03892629359 - NB p 158(2800 25) 1 and has 807 bits.
- Find x in Z, such that
- 2x 3 mod p
72 Algorithms for Discrete Logarithm
- trivial algorithm
- Shanks algorithm (Baby-step giant-step)
- Pollard rho discrete log algorithm
- Pohlig-Hellman algorithm
- The index calculus method
8The index calculus method
- The index calculus method (Suitable only for
GZp)
9- Example
- log59451 mod 10007?
- Choose B2, 3, 5, 7. Of course log551.
- Use lucky exponents 4063, 5136, and 9865
- 54063 mod 10007 42 2 3 7
- 55136 mod 10007 54 2 33
- 59865 mod 10007 189 33 7
- And we have three congruences
- log52 log53 log57 4063 mod 10006
- log52 3 log53 5136 mod 10006
- 3 log53 log57 9865 mod 10006
-
-
10- There happens to be a unique solution modulo
10006 - log526578, log536190, and log571301
- Choose random exponent s 7736 and try to
calculate - ags 945157736 mod 10007 8400
- Since 8400 243527 factors over B, we obtain
- log59451 (4 log52 log53 2 log55 log57
s) mod 10006 - (46578 6190 21 1301
7736) mod 10006 - 6057 mod 10006
11Complexity of Index Calculus
- For factoring and the discrete logarithm problem
in finite fields Fq there are index calculus
algorithm - (implemented with Number Field Sieve
technique) - These have subexponential complexity
-
- O(exp(c(lnN)1/3(lnlnN)2/3))
123 Cryptosystems based on DL
- Key Distribution
- Diffie-Hellman, 1976
- Encryption
- Massey-Omura cryptosystem, 1983
- Digital Signature
- ElGamal, 1985
13Diffie-Hellman Key Exchange Algo
- Global Public Elements
- q prime number
- a alt q and a is a primitive root of q
- User A Key Generation
- Select private XA XAlt q
- Calculate public YA YA aXA mod q
- User B Key Generation
- Select private XB XBlt q
- Calculate public YB YB aXB mod q
- Generation of Secret Key by User A
- K (YB)XA mod q
- Generation of Secret Key by User B
- K (YA)XB mod q
14User A
User B
Generate random XA lt q Calculate YA
aXA mod q Calculate K (YB)XA mod q
Generate random XB lt q Calculate
YB aXB mod q Calculate K (YA)XB mod q
YA
YB
Diffie-Hellman Key Exchange
15Massey-Omura for message transmission
- Parameters
- q prime number
- e a random private integer
- 0 lt e lt q and gcd ( e, q-1) 1
- d an inverse of e
- d e-1 mod q-1 , i.e., de1 mod q-1
- M a message to be encrypted and decrypted
- User A wants to send a message M to User B
- User A eA and dA are both private
- User B eB and dB are both private
16User A
User B
1.Encryption(1) C1 M eA mod
q 3.Encryption(3) C3 C2dA (M
eAeB)dA M eB mod q
2.Encryption(2) C2 C1eB
M eAeB mod q 4. Decryption M C3dB
M eBdB mod q
C1
C2
C3
Massey-Omura for message transmission
17ElGamal signature scheme
- 1985 ElGamal
- Parameters
- p a large prime
- a a primitive number in GF(p)
- x a private key, x 1, p-1
- y a public key , y ax (mod p)
- m a message to be signed , m 1, p-1
- k a random integer that is privately selected,
k 0, p-2 - Signature
- r ak mod p
- m ks rx mod f(p) ,where GCD( k, f(p) ) 1
- ( m , (r,s) ) is sent to the verifier
- Verification
- am rs yr mod p
- The signature (r,s) is accepted when the equality
holds true.
18ElGamal encryption scheme
- Parameters
- p a large prime
- a a primitive number in GF(p)
- a a private key, a 1, p-1
- ß a public key , ß aa (mod p)
- m a message to be signed , m 1, p-1
- k a random integer that is privately selected,
k 0, p-2 - K (p, a, a, ß) public key private key
- Encryption
- eK(m, k)(y1, y2)
- where y1 ak mod p and y2mßk mod p
- Decryption
- m dK(y1, y2) y2(y1a)-1 mod p
194 Elliptic Curves
- Over Fields of Characteristic pgt3
- Curve form
- E Y2 X3 aX b
- where a, b ? Fq, q pn
- 4a327b2?0
- Group operation
- given P1(x1,y1) and P2(x2,y2)
- compute P3(x3,y3) P1P2
(xPQ, yPQ?)
(xPQ, yPQ)
20Example of EC over GF(p)
-P
PQ
P
Q
21- Addition (P1?P2)
-
- Doubling (P1P2)
Computational Cost I 3 M
Computational Cost I 4 M
22- Over Fields of Characteristic 2
- Curve form
- E Y2 XY X3 aX2 b
- where a, b ? Fq, b?0, q 2n
- Group operation
- given P1(x1,y1) and P2(x2,y2)
- compute P3(x3,y3) P1P2
23Example of EC over GF(2m)
24- Addition (P1?P2)
-
- Doubling (P1P2)
Computational Cost I 2 M S
Computational Cost I 2 M S
255 Elliptic Curve DLP
- Basic computation of ECC
- Q kP
- where P is a curve point, k is an integer
- Strength of ECC
- Given curve, the point P, and kP
- It is hard to recover k
- - Elliptic Curve Discrete Logarithm Problem
(ECDLP)
26- Security of ECC versus RSA/ElGamal
- Elliptic curve cryptosystems give the most
security per bit of any known public-key scheme. - The ECDLP problem appears to be much more
difficult than the integer factorisation problem
and the discrete logarithm problem of Zp. (no
index calculus algo!) - The strength of elliptic curve cryptosystems
grows much faster with the key size increases
than does the strength of RSA.
27Elliptic Curve Security
Symmetric Key Size(bits) RSA and Diffie-HellmanKey Size (bits) Elliptic Curve Key Size(bits)
80 1024 160
112 2048 224
128 3072 256
192 7680 384
256 15360 521
NIST Recommended Key Sizes
28- ECC Benefits
- ECC is particularly beneficial for application
where - computational power is limited (wireless devices,
PC cards) - integrated circuit space is limited (wireless
devices, PC cards) - high speed is required.
- intensive use of signing, verifying or
authenticating is required. - signed messages are required to be stored or
transmitted (especially for short messages). - bandwidth is limited (wireless communications and
some computer networks).
296 Signature Scheme ECDSA
- Digital Signature Algorithm (DSA)
- Proposed in 1991
- Was adopted as a standard on December 1, 1994
- Elliptic Curve DSA (ECDSA)
- FIPS 186-2 in 2000
30Digital Signature Algorithm (DSA)
L0 mod 64, 512L1024
- Let p be a L-bit prime such that the DL problem
in Zp is intractable, and let q be a 160-bit
prime that divides p-1. Let a be a qth root of 1
modulo p. - Define K (p,q,a,a,ß) ßaa mod p
- p,q,a,ß are the public key, a is private
31- For a (secret) random number k, define
- sig (x,k)(?,d), where
- ?(ak mod p) mod q and
- d(SHA-1(x)a?)k-1 mod q
- For a message (x,(?,d)), verification is done by
performing the following computations - e1SHA-1(x)d-1 mod q
- e2?d-1 mod q
- ver(x,(?,d))true iff. (ae1ße2 mod p) mod q?
32Elliptic Curve DSA
- Let p be a prime, and let E be an elliptic curve
defined over Fp. Let A be a point on E having
prime order q, such that DL problem in ltAgt is
infeasible. - Define K (p,q,E,A,m,B) BmA
- p,q,E,A,B are the public key, m is private
33- For a (secret) random number k, define
sigk(x,k)(r,s), - where kA(u,v), ru mod q and
- sk-1(SHA-1(x)mr) mod q
- For a message (x,(r,s)), verification is done by
performing the following computations - iSHA-1(x)s-1 mod q
- jrs-1 mod q
- (u,v)iAjB
- ver(x,(r,s))true if and only if u mod qr
347 How to find secure elliptic curves ?
- (1) Randomly choose a, b, p and calculate
- Elliptic curve (y2x3axb)
- until E a prime q,
- where E is calculate by using
Schoof-Elkies-Atkin algorithm - (2) (Complex multiplication method)
- Given a big prime q, find p, a, b such that
- Elliptic curve (y2x3axb) q
358 Hyperelliptic Curves
- 1. Definition of HC
- 2. Example of HC
- (rational points of HC do not form a
group) - 3. Divisor
- 4. Jacobian (Jacobian is a group)
- 5. HCDLP
36Definitions of hyperelliptic curves
- A hyperelliptic curve C of genus g over a finite
field K (g?1) C y2 h(x)y f(x) - where
- h(x) ? Kx is a polynomial of degree at most g,
- f(x) ? Kx is a monic polynomial of degree 2g1.
- Elliptic curves are hyperelliptic curves of genus
1.
37Group law in an elliptic curve
?
-R
PQ
38Example Hyperelliptic curve
- A genus 2 hyperelliptic curve over RC y2 x5
-5x3 4x x(x1)(x-1)(x2)(x-2) - The rational points on C do not form a group.
39Divisors
- Definition (divisor, degree)
- A divisor D is a formal sum of points in C
- The degree of D,
- The set of all divisors, denoted D, forms an
additive group under the addition rule - D0(K) is the subgroup of all divisors defined
over K and of degree 0.
D12P1P2-38 D2 P1P3
deg(D1) 21-30 deg(D2) 112
D1D2 3P1P2P3-38
40Principal divisor
- Definition (principal divisors)
- Let R ?K(C) be a rational function. The divisor
of R is called a principal divisor - In fact, degree of a principal divisor is 0.
- The set of all principal divisors, denoted P(K),
is a subgroup of D0(K).
Q1(1, 0) on C div(x-1) 2Q1-28
41Jacobian
- Definition (Jacobian)
- The quotient group JC(K) D0/P is called the
Jacobian of the curve C. - If D1, D2 ? D0 and D1-D2 ? P, then D1 and D2 are
said to be equivalent divisors we write D1D2.
42Group law in HC
- A genus 2 hyperelliptic curve over RC y2 x5
-5x3 4x - ya3x3a2x2a1xa0
P4
P2
P1
P3
?
43HCDLP
- HCDLP
- (hyperelliptic curve discrete logarithm
problem) - Let a divisor D1 in JC(Fq) with known order N,
and D2 in ltD1gt - To find an integer ? s.t. D2 ?D1 is hard.
449 ID-based Cryptosystem
Setup generate params and master key
IDBob is arbitrary and meaningful ex
Bob_at_hotmail.com or 0912345678
Private Key Generator (PKG)
Extract generate KRIDBob by IDBob and master
key
Authentication (IDBob)
KRIDBob
Bob
Alice
(params, IDBob)
KRIDBob
Encrypt
Decrypt
or
or
Verify
Sign
45Certificate-based Cryptosystem
Certificate Authority (CA)
KUBob is random
Authentication (KUBob)
Certificate(Bob, KUBob)
Certificate(Bob, KUBob)
Bob
Alice
KUBob
KRBob
Encrypt
Decrypt
or
or
Verify
Sign
46ID-based Encryption Scheme
- Proposed by Boneh and Franklin (Crypto 2001)
- First complete and efficient scheme
- Bilinear Pairing
- G1 additive group generated by P, ord(P)q
- G2 multiplicative group with same order q
- Assume that DLP in G1 and G2 are hard
- Let e G1xG1 ? G2 satisfies
- 1. Bilinear e(P1P2,Q)e(P1,Q)e(P2,Q)
- e(P,Q1Q2)e(P,Q1)e(P,Q2)
- 2. Non-degenerate ? P,Q ?G1, s.t e(P,Q)?1
- 3. Computability
- Bilinear Diffie-Hellman (BDH) Assumption
- Given P, aP, bP, cP ?G1 , compute e(P, P)abc is
HARD!
47ID-based Encryption Scheme
System k-bit prime p p2 mod 3, p6q-1
E y2x31 over Fp
- ID-based Encryption
- Setup
- (1) Choose P ? E/Fp of order q
- (2) Pick a random s ?Zq and set
- Ppub sP
- (3) Two hash functions
- H1 0,1 ? G1 (MapToPoint)
- H2 G2 ? 0,1n for some n
- Extract
- Given a ID ?0,1, build private key SID as
follows - QID H1(ID)
- Set dIDsQID , where s is the master key
-
Params ltp, q, P, Ppub, H1, H2gt Master-key s
48ID-based Encryption Scheme
- Encrypt
- Use MapToPoint to map ID to QID
- choose a random r ?Zq
- C lt rP, M ? H2(e(QID, Ppub)r) gt
- Decrypt
- Let Clt U, V gt , if U is not a point of order q
then reject - M V ? H2(e(dID, U))
dIDsQID
PpubsP
e(dID, U) e(sQID, rP) e(QID, P)sr e(QID, sP)r
e(QID, Ppub)r
49Weil Pairing
- (Def) Weil pairing
- where
is called the m-torsion group, - Um is the group of the mth roots of unity
- Given P, Q?E m, ? DP, DQ?Div 0 such that
- DP (P) (O) and DQ (Q) (O). Also, ?fP
, fQ such that div (fP) m DP and div (fQ) m
DQ. - Suppose supp (DP) ? supp (DQ) ?
- Then
-
50End-to-end security for SMS (short message
service)
51End-to-end security for SMS
5210 Pairing-based Cryptography
- 1. Implementation of Pairings
- Bilinear paring
- e G1 x G2 ? GT
- G1, G2 prime-order subgroups of
an elliptic curve E - over GF(qk)
- GT prime-order subgroup of GF(qk)
- k is the embedding degree of E (w.r.t.
rE(GF(q))) - k is the smallest positive integer s.t.
r qk - 1 -
-
53-
- Various pairings
- Weil pairing
- Tate pairing
- Eta pairing
- Ate pairing
- Generalized Ate pairing
-
54- 2. Use of parings in cryptography
- Attack on ECDLP (MOV attack)
- One-round 3-way key exchange (Joux)
- IDE (Boneh-Franklin)
- Short digital signature
(Boneh-Lynn-Shacham) - Other applications Group signatures,
- Bach signatures, aggregate
signatures, - threshold cryptography,
authenticated - encryption, broadcast
encryption, etc.
55- 3. Constructing pairing-friendly curves
- Want k large enough so that DLP in
GF(qk) is computational infeasible, but small
enough so that pairing is easy to compute. - Cock-Pinch strategy
- MNT strategy
- Dupon-Enge-Morain strategy
- Brezing-Weng strategy
- Scott-Barreto strategy