http://www.cs.nctu.edu.tw/~rjchen/ECC2012S/ - PowerPoint PPT Presentation

1 / 55
About This Presentation
Title:

http://www.cs.nctu.edu.tw/~rjchen/ECC2012S/

Description:

Title: PowerPoint Author: anine Last modified by: Windows Created Date: 3/26/2000 9:29:52 PM Document presentation format: (4:3) – PowerPoint PPT presentation

Number of Views:38
Avg rating:3.0/5.0
Slides: 56
Provided by: anin92
Category:
Tags: ecc2012s | edu | http | nctu | number | prime | rjchen | www

less

Transcript and Presenter's Notes

Title: http://www.cs.nctu.edu.tw/~rjchen/ECC2012S/


1
????????
???? ????? ??? http//www.cs.nctu.edu.tw/rjch
en/ECC2012S/
2
Outline
  • 1 Discrete Logarithm Problem
  • 2 Algorithms for Discrete Logarithm
  • 3 Cryptosystems Based on DLP
  • 4 Elliptic Curves
  • 5 Elliptic Curve DLP
  • 6 Signature Scheme ECDSA
  • 7 How to find secure ECs?
  • 8 Hyperelliptic Curves
  • 9 ID-based Cryptosystems
  • 10 Pairing-based Cryptography

3
1 Discrete Logarithm Problem
  • Let G is a finite cyclic group of size n
    generated by generator g, i.e.
  • G ltggt g i i 1, 2, , n
  • or g i i 0, 1,
    , n-1
  • Given g and i, it is easy to compute gi by
    repeated squaring
  • Discrete logarithm problem
  • Given , find x such that
  • We denote

4
  • Example 1G Z19 1, 2, , 18n18,
    generator g 2
  • then log214 7 log26 14

5
  • Example 2GGF(23) with irreducible poly.
    p(x)x3x1GZn/p(x) 1, x, x2, 1x, 1x2,
    xx2,
  • 1xx2 n7,
    generator g x
  • then logx(x1) 3 logx(x2x1) 5
    logx(x21) 6

6
  • Example 3Let p 105354628039501697530461658293395
    87319488718149259134893426087342587178835751858673
    00386287737705577937382925873762451990450430661350
    85968269741025626827114728303489756321430023716636
    91740666159071764725494700831131071381899212808840
    03892629359
  • NB p 158(2800 25) 1 and has 807 bits.
  • Find x in Z, such that
  • 2x 3 mod p

7
2 Algorithms for Discrete Logarithm
  • trivial algorithm
  • Shanks algorithm (Baby-step giant-step)
  • Pollard rho discrete log algorithm
  • Pohlig-Hellman algorithm
  • The index calculus method

8
The index calculus method
  • The index calculus method (Suitable only for
    GZp)

9
  • Example
  • log59451 mod 10007?
  • Choose B2, 3, 5, 7. Of course log551.
  • Use lucky exponents 4063, 5136, and 9865
  • 54063 mod 10007 42 2 3 7
  • 55136 mod 10007 54 2 33
  • 59865 mod 10007 189 33 7
  • And we have three congruences
  • log52 log53 log57 4063 mod 10006
  • log52 3 log53 5136 mod 10006
  • 3 log53 log57 9865 mod 10006

10
  • There happens to be a unique solution modulo
    10006
  • log526578, log536190, and log571301
  • Choose random exponent s 7736 and try to
    calculate
  • ags 945157736 mod 10007 8400
  • Since 8400 243527 factors over B, we obtain
  • log59451 (4 log52 log53 2 log55 log57
    s) mod 10006
  • (46578 6190 21 1301
    7736) mod 10006
  • 6057 mod 10006

11
Complexity of Index Calculus
  • For factoring and the discrete logarithm problem
    in finite fields Fq there are index calculus
    algorithm
  • (implemented with Number Field Sieve
    technique)
  • These have subexponential complexity
  • O(exp(c(lnN)1/3(lnlnN)2/3))

12
3 Cryptosystems based on DL
  • Key Distribution
  • Diffie-Hellman, 1976
  • Encryption
  • Massey-Omura cryptosystem, 1983
  • Digital Signature
  • ElGamal, 1985

13
Diffie-Hellman Key Exchange Algo
  • Global Public Elements
  • q prime number
  • a alt q and a is a primitive root of q
  • User A Key Generation
  • Select private XA XAlt q
  • Calculate public YA YA aXA mod q
  • User B Key Generation
  • Select private XB XBlt q
  • Calculate public YB YB aXB mod q
  • Generation of Secret Key by User A
  • K (YB)XA mod q
  • Generation of Secret Key by User B
  • K (YA)XB mod q

14
User A
User B
Generate random XA lt q Calculate YA
aXA mod q Calculate K (YB)XA mod q
Generate random XB lt q Calculate
YB aXB mod q Calculate K (YA)XB mod q
YA
YB
Diffie-Hellman Key Exchange
15
Massey-Omura for message transmission
  • Parameters
  • q prime number
  • e a random private integer
  • 0 lt e lt q and gcd ( e, q-1) 1
  • d an inverse of e
  • d e-1 mod q-1 , i.e., de1 mod q-1
  • M a message to be encrypted and decrypted
  • User A wants to send a message M to User B
  • User A eA and dA are both private
  • User B eB and dB are both private

16
User A
User B
1.Encryption(1) C1 M eA mod
q 3.Encryption(3) C3 C2dA (M
eAeB)dA M eB mod q
2.Encryption(2) C2 C1eB
M eAeB mod q 4. Decryption M C3dB
M eBdB mod q
C1
C2
C3
Massey-Omura for message transmission
17
ElGamal signature scheme
  • 1985 ElGamal
  • Parameters
  • p a large prime
  • a a primitive number in GF(p)
  • x a private key, x 1, p-1
  • y a public key , y ax (mod p)
  • m a message to be signed , m 1, p-1
  • k a random integer that is privately selected,
    k 0, p-2
  • Signature
  • r ak mod p
  • m ks rx mod f(p) ,where GCD( k, f(p) ) 1
  • ( m , (r,s) ) is sent to the verifier
  • Verification
  • am rs yr mod p
  • The signature (r,s) is accepted when the equality
    holds true.

18
ElGamal encryption scheme
  • Parameters
  • p a large prime
  • a a primitive number in GF(p)
  • a a private key, a 1, p-1
  • ß a public key , ß aa (mod p)
  • m a message to be signed , m 1, p-1
  • k a random integer that is privately selected,
    k 0, p-2
  • K (p, a, a, ß) public key private key
  • Encryption
  • eK(m, k)(y1, y2)
  • where y1 ak mod p and y2mßk mod p
  • Decryption
  • m dK(y1, y2) y2(y1a)-1 mod p

19
4 Elliptic Curves
  • Over Fields of Characteristic pgt3
  • Curve form
  • E Y2 X3 aX b
  • where a, b ? Fq, q pn
  • 4a327b2?0
  • Group operation
  • given P1(x1,y1) and P2(x2,y2)
  • compute P3(x3,y3) P1P2

(xPQ, yPQ?)
(xPQ, yPQ)
20
Example of EC over GF(p)
  • Example

-P
PQ
P
Q
21
  • Addition (P1?P2)
  • Doubling (P1P2)

Computational Cost I 3 M
Computational Cost I 4 M
22
  • Over Fields of Characteristic 2
  • Curve form
  • E Y2 XY X3 aX2 b
  • where a, b ? Fq, b?0, q 2n
  • Group operation
  • given P1(x1,y1) and P2(x2,y2)
  • compute P3(x3,y3) P1P2

23
Example of EC over GF(2m)
24
  • Addition (P1?P2)
  • Doubling (P1P2)

Computational Cost I 2 M S
Computational Cost I 2 M S
25
5 Elliptic Curve DLP
  • Basic computation of ECC
  • Q kP
  • where P is a curve point, k is an integer
  • Strength of ECC
  • Given curve, the point P, and kP
  • It is hard to recover k
  • - Elliptic Curve Discrete Logarithm Problem
    (ECDLP)

26
  • Security of ECC versus RSA/ElGamal
  • Elliptic curve cryptosystems give the most
    security per bit of any known public-key scheme.
  • The ECDLP problem appears to be much more
    difficult than the integer factorisation problem
    and the discrete logarithm problem of Zp. (no
    index calculus algo!)
  • The strength of elliptic curve cryptosystems
    grows much faster with the key size increases
    than does the strength of RSA.

27
Elliptic Curve Security
Symmetric Key Size(bits) RSA and Diffie-HellmanKey Size (bits) Elliptic Curve Key Size(bits)
80 1024 160
112 2048 224
128 3072 256
192 7680 384
256 15360 521
NIST Recommended Key Sizes
28
  • ECC Benefits
  • ECC is particularly beneficial for application
    where
  • computational power is limited (wireless devices,
    PC cards)
  • integrated circuit space is limited (wireless
    devices, PC cards)
  • high speed is required.
  • intensive use of signing, verifying or
    authenticating is required.
  • signed messages are required to be stored or
    transmitted (especially for short messages).
  • bandwidth is limited (wireless communications and
    some computer networks).

29
6 Signature Scheme ECDSA
  • Digital Signature Algorithm (DSA)
  • Proposed in 1991
  • Was adopted as a standard on December 1, 1994
  • Elliptic Curve DSA (ECDSA)
  • FIPS 186-2 in 2000

30
Digital Signature Algorithm (DSA)
L0 mod 64, 512L1024
  • Let p be a L-bit prime such that the DL problem
    in Zp is intractable, and let q be a 160-bit
    prime that divides p-1. Let a be a qth root of 1
    modulo p.
  • Define K (p,q,a,a,ß) ßaa mod p
  • p,q,a,ß are the public key, a is private

31
  • For a (secret) random number k, define
  • sig (x,k)(?,d), where
  • ?(ak mod p) mod q and
  • d(SHA-1(x)a?)k-1 mod q
  • For a message (x,(?,d)), verification is done by
    performing the following computations
  • e1SHA-1(x)d-1 mod q
  • e2?d-1 mod q
  • ver(x,(?,d))true iff. (ae1ße2 mod p) mod q?

32
Elliptic Curve DSA
  • Let p be a prime, and let E be an elliptic curve
    defined over Fp. Let A be a point on E having
    prime order q, such that DL problem in ltAgt is
    infeasible.
  • Define K (p,q,E,A,m,B) BmA
  • p,q,E,A,B are the public key, m is private

33
  • For a (secret) random number k, define
    sigk(x,k)(r,s),
  • where kA(u,v), ru mod q and
  • sk-1(SHA-1(x)mr) mod q
  • For a message (x,(r,s)), verification is done by
    performing the following computations
  • iSHA-1(x)s-1 mod q
  • jrs-1 mod q
  • (u,v)iAjB
  • ver(x,(r,s))true if and only if u mod qr

34
7 How to find secure elliptic curves ?
  • (1) Randomly choose a, b, p and calculate
  • Elliptic curve (y2x3axb)
  • until E a prime q,
  • where E is calculate by using
    Schoof-Elkies-Atkin algorithm
  • (2) (Complex multiplication method)
  • Given a big prime q, find p, a, b such that
  • Elliptic curve (y2x3axb) q

35
8 Hyperelliptic Curves
  • 1. Definition of HC
  • 2. Example of HC
  • (rational points of HC do not form a
    group)
  • 3. Divisor
  • 4. Jacobian (Jacobian is a group)
  • 5. HCDLP

36
Definitions of hyperelliptic curves
  • A hyperelliptic curve C of genus g over a finite
    field K (g?1) C y2 h(x)y f(x)
  • where
  • h(x) ? Kx is a polynomial of degree at most g,
  • f(x) ? Kx is a monic polynomial of degree 2g1.
  • Elliptic curves are hyperelliptic curves of genus
    1.

37
Group law in an elliptic curve
  • y2x3-x over R

?
-R
PQ
38
Example Hyperelliptic curve
  • A genus 2 hyperelliptic curve over RC y2 x5
    -5x3 4x x(x1)(x-1)(x2)(x-2)
  • The rational points on C do not form a group.

39
Divisors
  • Definition (divisor, degree)
  • A divisor D is a formal sum of points in C
  • The degree of D,
  • The set of all divisors, denoted D, forms an
    additive group under the addition rule
  • D0(K) is the subgroup of all divisors defined
    over K and of degree 0.

D12P1P2-38 D2 P1P3
deg(D1) 21-30 deg(D2) 112
D1D2 3P1P2P3-38
40
Principal divisor
  • Definition (principal divisors)
  • Let R ?K(C) be a rational function. The divisor
    of R is called a principal divisor
  • In fact, degree of a principal divisor is 0.
  • The set of all principal divisors, denoted P(K),
    is a subgroup of D0(K).

Q1(1, 0) on C div(x-1) 2Q1-28
41
Jacobian
  • Definition (Jacobian)
  • The quotient group JC(K) D0/P is called the
    Jacobian of the curve C.
  • If D1, D2 ? D0 and D1-D2 ? P, then D1 and D2 are
    said to be equivalent divisors we write D1D2.

42
Group law in HC
  • A genus 2 hyperelliptic curve over RC y2 x5
    -5x3 4x
  • ya3x3a2x2a1xa0

P4
P2
P1
P3
?
43
HCDLP
  • HCDLP
  • (hyperelliptic curve discrete logarithm
    problem)
  • Let a divisor D1 in JC(Fq) with known order N,
    and D2 in ltD1gt
  • To find an integer ? s.t. D2 ?D1 is hard.

44
9 ID-based Cryptosystem
Setup generate params and master key
IDBob is arbitrary and meaningful ex
Bob_at_hotmail.com or 0912345678
Private Key Generator (PKG)
Extract generate KRIDBob by IDBob and master
key
Authentication (IDBob)
KRIDBob
Bob
Alice
(params, IDBob)
KRIDBob
Encrypt
Decrypt
or
or
Verify
Sign
45
Certificate-based Cryptosystem
Certificate Authority (CA)
KUBob is random
Authentication (KUBob)
Certificate(Bob, KUBob)
Certificate(Bob, KUBob)
Bob
Alice
KUBob
KRBob
Encrypt
Decrypt
or
or
Verify
Sign
46
ID-based Encryption Scheme
  • Proposed by Boneh and Franklin (Crypto 2001)
  • First complete and efficient scheme
  • Bilinear Pairing
  • G1 additive group generated by P, ord(P)q
  • G2 multiplicative group with same order q
  • Assume that DLP in G1 and G2 are hard
  • Let e G1xG1 ? G2 satisfies
  • 1. Bilinear e(P1P2,Q)e(P1,Q)e(P2,Q)
  • e(P,Q1Q2)e(P,Q1)e(P,Q2)
  • 2. Non-degenerate ? P,Q ?G1, s.t e(P,Q)?1
  • 3. Computability
  • Bilinear Diffie-Hellman (BDH) Assumption
  • Given P, aP, bP, cP ?G1 , compute e(P, P)abc is
    HARD!

47
ID-based Encryption Scheme
System k-bit prime p p2 mod 3, p6q-1
E y2x31 over Fp
  • ID-based Encryption
  • Setup
  • (1) Choose P ? E/Fp of order q
  • (2) Pick a random s ?Zq and set
  • Ppub sP
  • (3) Two hash functions
  • H1 0,1 ? G1 (MapToPoint)
  • H2 G2 ? 0,1n for some n
  • Extract
  • Given a ID ?0,1, build private key SID as
    follows
  • QID H1(ID)
  • Set dIDsQID , where s is the master key

Params ltp, q, P, Ppub, H1, H2gt Master-key s
48
ID-based Encryption Scheme
  • Encrypt
  • Use MapToPoint to map ID to QID
  • choose a random r ?Zq
  • C lt rP, M ? H2(e(QID, Ppub)r) gt
  • Decrypt
  • Let Clt U, V gt , if U is not a point of order q
    then reject
  • M V ? H2(e(dID, U))

dIDsQID
PpubsP
e(dID, U) e(sQID, rP) e(QID, P)sr e(QID, sP)r
e(QID, Ppub)r
49
Weil Pairing
  • (Def) Weil pairing
  • where
    is called the m-torsion group,
  • Um is the group of the mth roots of unity
  • Given P, Q?E m, ? DP, DQ?Div 0 such that
  • DP (P) (O) and DQ (Q) (O). Also, ?fP
    , fQ such that div (fP) m DP and div (fQ) m
    DQ.
  • Suppose supp (DP) ? supp (DQ) ?
  • Then

50
End-to-end security for SMS (short message
service)
  • RSA Mechanism

51
End-to-end security for SMS
  • ID-based Mechanism

52
10 Pairing-based Cryptography
  • 1. Implementation of Pairings
  • Bilinear paring
  • e G1 x G2 ? GT
  • G1, G2 prime-order subgroups of
    an elliptic curve E
  • over GF(qk)
  • GT prime-order subgroup of GF(qk)
  • k is the embedding degree of E (w.r.t.
    rE(GF(q)))
  • k is the smallest positive integer s.t.
    r qk - 1

53
  • Various pairings
  • Weil pairing
  • Tate pairing
  • Eta pairing
  • Ate pairing
  • Generalized Ate pairing

54
  • 2. Use of parings in cryptography
  • Attack on ECDLP (MOV attack)
  • One-round 3-way key exchange (Joux)
  • IDE (Boneh-Franklin)
  • Short digital signature
    (Boneh-Lynn-Shacham)
  • Other applications Group signatures,
  • Bach signatures, aggregate
    signatures,
  • threshold cryptography,
    authenticated
  • encryption, broadcast
    encryption, etc.

55
  • 3. Constructing pairing-friendly curves
  • Want k large enough so that DLP in
    GF(qk) is computational infeasible, but small
    enough so that pairing is easy to compute.
  • Cock-Pinch strategy
  • MNT strategy
  • Dupon-Enge-Morain strategy
  • Brezing-Weng strategy
  • Scott-Barreto strategy
Write a Comment
User Comments (0)
About PowerShow.com