Vorlesung: WS 20022003 Effiziente Kryptographie

1
Vorlesung WS 2002/2003Effiziente Kryptographie

• Dr. Tsuyoshi Takagi, Juniorprofessor
• Technische Universtät Darmstadt
• Fachbereich Informatik
• http//www.informatik.tu-darmstadt.de/TI/

2
Lecture Plan
We assume the basic knowledge about cryptography
i.e., J. Buchmann, Introduction to
cryptography, Springer, 1998.
(1) Fast integer arithmetics (2) Elliptic curve
cryptosystem (3) Fast RSA-type cryptosystems (4)
Smartcard architecture (5) Side channel
attack (6) NTRU cryptosystem (7) NICE/NICE-X
cryptosystem
3
Public-key cryptosystem
Receiver (Bank)
Sender (User)
m message
4
Digital Signature
(e public key , d secret key ) of a
signer Sd signing function, Vs verification
function, m Vs(Sd(m))
5
Secure E-Mail
Secure IP Network
PGP
Secure Payment
IPv6
Mobile Network
S/MIME
SET
i-mode
IPSEC
WAP
iKP
SSL
TSL
Secure Devices
Digital Signature
Public-Key Cryptosystem
NF
RSA
Lattice
Factoring
EC
6
Efficiency is important
For the sake of high security, a secret key is
stored on a smart card (tamper-resistant).
A special coprocessor is required for the
computation on a smart card, which is very
expensive.
Currently no public-key cryptosystems are used
for a large scale market, such as cash cards or
SIM cards for mobile phones
7
How to improve efficiency

• (1)Software technique
• - optimization of complier, memory management
• (2)Hardware technology
• - improvement of CPU, memory (RAM, ROM)
  access
• (3)Mathematical improvements
• - developing efficient algorithms

8
RSA Cryptosystem
p, q primes, n pq, ed 1 mod (n),
e, n public key, d secret key, (factoring,
n 1024 bits) M message, M in (Z/nZ)x. (0ltMltn)
Encryption C Me mod n
Decryption M Cd mod n
Key generation p 3, q 5, n 15, e 3 gt d
3 Encryption C 7e mod n, gt C
13 Decryption M 13d mod n gt M 7
9
Fast Exponentiation
The binary representation of d dk-12k-1
dk-22k-2 d121 d020, where dk-11.
Left-to-right binary method Input M, n,
d Output Md mod n X M For ik-2 to 0 X
XX mod n if di1, then XXM mod n Return
X

• Basic Integer Arithmetic
• - Multiplication
• - Squaring
• Modular Reduction

We need about 1536 modular multiplications for
1024-bit n,d on average.
10
RSA Signature
p, q primes, n pq, ed 1 mod (n),
e, n public key, d secret key, (factoring,
n 1024 bits) M message, M in 0,1,.. , n-1.
Signing S Md mod n
Verification M Se mod n
Key generation p 3, q 5, n 15, e 3 gt d
3 Signing M 13, S 13d mod n,
gt S 7 Verification Checking M Se mod
n
11
ElGamal Encryption
p prime, g generator of Fp, a secret
exponent, A ga mod p.
p,g,A public key, a secret key, (DL problem,
p 1024 bits) M message in 0,1,.. ,p-1
Encryption (1) Generate a random number k in
1,2,..,p-2 (2) B gk mod
p, C MAk mod p.
Decryption (1) M CB-a mod p.
12
ElGamal Signature
p prime, g generator of Fp, a secret
exponent, A ga mod p.
p,g,A public key, a secret key, (DL problem,
p 1024 bits) h 0,1 -gt 1,2,.. , p-1 hash
function M message in 0,1
Signing (1) Generate a random number k in
1,2,..,p-2 (2) r gk mod p, s
k-1 (h(M) ar) mod p-1).
Verification(1) Check 0 lt r lt p.
(2) Check Ar rs gh(M) mod p.
Correctness of the verification Ar rs gar
gkk-1(h(M)-ar) gh(M) mod p.
13
Textbook
A. Menezes, P. van Oorschot, S. Vanstone,
Applied Crypotgraphy, CRC Press, 2001 ISBN
0-8493-8523-7 Chapter 14, Efficient
Implementation (44 pages) http//www.cacr.math.uwa
terloo.ca/hac/
14
Fast Integer Arithmetic

• Basic algorithm Advanced algorithm
• - Addition - Montgomery
  reduction
• - Subtraction - Montgomery
  multiplication
• - Multiplication - Barrett
  reduction
• - Squaring - Reduction for
  special moduli
• - Division - binary gcd
  algorithm
• gcd algorithm - Lehmers gcd
  algorithm
• CRT - Garners
  algorithm
• Exponentiation - Montgomery
  exponentiation
• -
  Windows based method

15
Main Components of Smartcards

• Central Processing Unit (CPU),
• Read Only Memory (ROM),
• Electrically Erasable Programmable Read Only
  Memory (EEPROM),
• Random Access Memory (RAM),
• Arithmetic Unit (AU).

RAM ROM EEPROM
CPU
I/O-Port
AU
16

• Central Processing Unit (CPU)
• - 8 or 16 bit controller
• - Motorola 6805, Intel 8051, Hitachi, etc
• - The programming for CPU is done in assembler.
  
• Read Only Memory (ROM)
• - non-volatile memory
• - photographic mask programmed
• (Several months for changing the ROM code)
• - it contains the operating system, the
  transmission protocol
• and commands, the security algorithms,
  several applications.
• - size, 8-16 kBytes (Max. 48 kBytes)

17

• Random Access Memory (RAM)
• - It is a volatile memory.
• - The contents are lost when the power supply
  is switched off.
• - It is used for a buffer for storing
  transmission data and as a very fast access
  memory for workspace.
• - Reading and writing a byte takes a few
  microseconds.
• - Size 128 - 256 Bytes (Max 3KBytes)
• - Much more expensive than ROM

18

• EEPROM
• - It is a non-volatile programmable memory.
• - It allows about 100,000 update (i.e.
  erase/write) cycles.
• - writing is about 1,000 times slower than
  doing into RAM.
• - Size 2-8 kBytes (Max 12 kBytes)
• - the secret key, the cryptographic parameters
  are stored.
• Arithmetic Unit (AU)
• - It is the cryptographic co-processor, which
  computes the integer
• arithmetic (addition, multiplication, modular
  exponentiation)
• - The speed between the AU and memory is not
  negligible.
• - The development cost is very expensive.

19
Cryptographic Coprocessor

• It usually has a capability to compute
• the multiplication (ab),
• the integer addition (a b),
• the modular multiplications (ad mod n)
• and no division, inversions.
• In general the division and inversion are slow
  and require a lot of memory.

20
Elliptic Curves
(Weierstrass-form of an elliptic curve)
p is a primegt3, discriminant
The set of points on the
curve and the point of infinity
has an additive group structure.
Addition (ECADD)
Doubling (ECDBL)
21
Advantage of ECC
(1)The security of ECC is based on the discrete
logarithm problem of elliptic curves over
finite fields. (2)There are no sub-exponential
time algorithm to solve it. Thus 1024-bit RSA
is consider as secure as160-bit ECC. (3)ECC is
suitable for the implementation over memory
constraint computing environment like smart
cards.
22
Scalar Multiplication
To compute
times
6 ECDBLs 2 ECADDs
99 ECADDs
Binary chain (from the MSB) Q0 P for in-2
down to 0 Q0 ECDBL(Q0) if ki1 then
Q0 ECADD(Q0,P) return(Q0)
23
Standard Formula
(Weierstraß-form of an elliptic curve)
Standard Formula
24
Example
(Weierstraß-form of an elliptic curve)
a 1, b 6, p 11. E(1,6)/GF(11) O, (2,4),
(2,7), (3,5), (3,6), (5,2), (5,9),
(7,2), (7,9), (8,3), (8,8),
(10,2), (10,9)
ECADD (2,4) (10,9) (r2 (x1 x2), r(x1
- x3) - y1) (3,5) r
(y2-y1)/(x1 x2) (9-4)/(10-2) mod 11
2 ECDBL 2(8,8) (r2 (x1 x2), r(x1 -
x3) - y1) (7,2) r (3x12
1)/(2y1) mod 11 10