discrete math iiinfosec.pusan.ac.kr/.../2019/03/2-2.security-protocols-ecc_ver1.pdf · an elliptic...
TRANSCRIPT
![Page 1: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/1.jpg)
지능형사물인터넷시스템- Elliptic Curve Cryptography-
Howon Kim
2019. 3
![Page 2: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/2.jpg)
Introduction to Elliptic Curves
2
![Page 3: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/3.jpg)
Graphical Representation
X axis
Y axis
Curves of this nature
are called elliptic curves
3
![Page 4: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/4.jpg)
Elliptic Curve (EC) systems as applied to cryptography were first proposed in 1985 independently by Neal Koblitz and Victor Miller.
The discrete logarithm problem on elliptic curve groups is believed to be more difficult than the corresponding problem in(the multiplicative group of nonzero elements of) the underlying finite field.
Elliptic Curves in Cryptography
4
![Page 5: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/5.jpg)
Discrete Logarithms in Finite Fields
Alice Bob
Pick secret, random X from F
Pick secret, random Y from F
gy mod p
gx mod p
Compute k=(gy)x=gxy mod p Compute k=(gx)y=gxy mod p
Eve has to compute gxy from gx and gy without knowing x and y…
She faces the Discrete Logarithm Problem in finite fields
F={1,2,3,…,p-1}
5
![Page 6: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/6.jpg)
Ref) Discrete Logarithm Problem
6
Discrete Logarithm Problem
Let be any group, written multiplicatively for the moment, and let
Suppose we know that for some integer
In this context, the DLP is again to find .
could be the multiplicative g
, .
o p r u
k
G a b G
a b k
k
G
* of a finite field.
Also, could be for some elliptic curve, in which case and are points on
and we are trying to find an integer with
( )
.
q
q
F
G E F a b E
k ka b
![Page 7: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/7.jpg)
Consider y2 = x3 + 2x + 3(mod 5)
x = 0 y2 = 3 no solution (mod 5)
x = 1 y2 = 6 = 1 y = 1,4 (mod 5)
x = 2 y2 = 15 = 0 y = 0 (mod 5)
x = 3 y2 = 36 = 1 y = 1,4 (mod 5)
x = 4 y2 = 75 = 0 y = 0 (mod 5)
Then points on the elliptic curve are
(1,1)(1,4)(2,0)(3,1)(3,4)(4,0)
and the point at infinity:
Using the finite fields we can form an Elliptic Curve Group
where we also have a DLP problem which is harder to solve…
Elliptic Curve on a finite set of Integers
7
1 2 3
2
3
4 1
1 4
0 0 0
0
0
1 2 3
2
3
4
4
0
4
0 4
3
2
3 2 1
0
0
1
0
0
0
![Page 8: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/8.jpg)
An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with a rational point (which may be a point at infinity).
The field K is usually taken to be the complex numbers, reals, rationals, algebraic extensions of rationals, p-adic numbers, or a finite field.
Elliptic curves groups for cryptography are examined with the underlying fields of Fp (where p>3 is a prime) and F2
m (a binary representation with 2m elements).
8
Definition of Elliptic curves
![Page 9: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/9.jpg)
An elliptic curve is a plane curve defined by an equation
of the form2 3y x Ax B
Examples
9
General form of a EC
![Page 10: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/10.jpg)
The Elliptic curve E is the graph of an equation of the form
Generalized Weierstrass Equation of elliptic curves:
2 2 2
1 3 2 4 6y a xy a y x a x a x a
10
Weierstrass Equation
If is a field with , then we say that is defined ov r ., eK A B K E K
![Page 11: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/11.jpg)
11
Singular Point
A singular point of an algebraic curve is a point where the curve has "nasty" behavior such
as a cusp or a point of self-intersection (when the underlying field is taken as the
reals). More formall
K
y,
if the and partial
a point ( , ) on a cu
derivatives of a
rve ( , ) 0 is singular
( ,re both zero at the point ) .
a b f x y
x y f a b
![Page 12: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/12.jpg)
Elliptic Curve over field L
It is useful to add the point at infinity
The point is sitting at the top of the y-axis and any line is said to pass through the point when it is vertical
It is both the top and at the bottom of the y-axis
2 3( ) { } {( , ) | ... ...}E L x y L L y x
12
Points on the Elliptic Curve (EC)
![Page 13: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/13.jpg)
P + Q = Q + P (commutativity)
(P + Q) + R = P + (Q + R) (associativity)
P + O = O + P = P (existence of an identity element)
there exists ( − P) such that − P + P = P + ( − P) = O (existence of
inverses)
13
The Abelian Group
G , ( )
( )
, , ( ).
iven two points in ,
there is a third point, denoted by on? ,
and the following relations hold for all in
p
p
p
P Q E F
P Q E F
P Q R E F
![Page 14: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/14.jpg)
14
Abelian Group ?
![Page 15: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/15.jpg)
15
The Group Law
We could start with two points, or even one point, on an elliptic curve,
and produce another point.
< Adding Points on an EC >
1 2
1 2In the case
P P
x x
![Page 16: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/16.jpg)
16
The Group Law
< Adding Points on an EC >
2 3y x Ax B
![Page 17: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/17.jpg)
17
The Group Law
< Adding Points on an EC >
2 3y x Ax B
![Page 18: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/18.jpg)
18
The Group Law1 2
1 2 1 2In the case but
P P
x x y y
![Page 19: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/19.jpg)
19
The Group Law
1 2 1 1( , )P P x y
2 3y x Ax B
![Page 20: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/20.jpg)
20
The Group Law
2P
![Page 21: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/21.jpg)
21
The Group Law – Summary
2 1P P
![Page 22: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/22.jpg)
22
The Abelian Group – Theorem
2 2 2
1 3 2 4 6(2.1) y a xy a y x a x a x a
![Page 23: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/23.jpg)
x
y
1 1 2 2
3 3
( , ), ( , )
( ) ( , )
P x y Q x y
R P Q x y
y=m(x-x1)+y1
2 1
2 1
2 3
1 1
3 2 2
2
3 1 2
3 1 2 1
;
To find the intersection with E. we get
( ( ) )
,0 ...
,
( )
y ym
x x
m x x y x Ax B
or x m x
So x m x x
y m x x y
Let, P≠Q,
y2=x3+Ax+B
23
Addition in Affine Co-ordinates
![Page 24: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/24.jpg)
Let, P=Q
What happens when P2=∞?
2
2
1
1
1 1 2
3 2 2
2
3 1 3 1 3 1
2 3
3
2
, 0 (since then P +P = ):
0 ...
2 , ( )
dyy x A
dx
dy x Am
dx y
If y
x m x
x m x y m x x y
24
Doubling of a point
![Page 25: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/25.jpg)
21
1
2
1
21
12
12
_2
3
_
xxfory
ax
xxforxx
yy
Define for two points P (x1,y1) and
Q (x2,y2) in the Elliptic curve
Then P+Q is given by R(x3,y3) :
1133
213
)( yxxy
xxx
25
Sum of two points
![Page 26: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/26.jpg)
P+P = 2P
Point at infinity O
As a result of the above case P=O+P
O is called the additive identity of
the elliptic curve group.
Hence all elliptic curves have an
additive identity O.
26
![Page 27: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/27.jpg)
Introduction to Elliptic Curves
Elliptic Curve Cryptosystems
Implementation of ECC in Binary Fields
27
Agenda
![Page 28: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/28.jpg)
28
Scalar multiplication
![Page 29: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/29.jpg)
Elliptic Curves over Finite Fields
29
![Page 30: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/30.jpg)
30
EC over Finite Fields
![Page 31: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/31.jpg)
31
EC over Finite Fields
Since the sum of three roots is - (-4) 4,
the third root is 4. (3 2 4) mod 5.x x
![Page 32: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/32.jpg)
Applications of ECC
32
![Page 33: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/33.jpg)
Secrecy: Only B can Decrypt
the message
Authentication: Only A can
generate the encrypted message33
Public Key Cryptography
![Page 34: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/34.jpg)
34
Public Key Cryptography
![Page 35: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/35.jpg)
35
Public Key Cryptography
![Page 36: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/36.jpg)
Elliptic curve cryptography [ECC] is a public-key
cryptosystem just like RSA, Rabin, and El Gamal.
Every user has a public and a private key.
Public key is used for encryption/signature verification.
Private key is used for decryption/signature generation.
Elliptic curves are used as an extension to other
current cryptosystems.
Elliptic Curve Diffie-Hellman Key Exchange
Elliptic Curve Digital Signature Algorithm
36
What is ECC?
![Page 37: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/37.jpg)
The central part of any cryptosystem involving elliptic
curves is the elliptic group.
All public-key cryptosystems have some underlying
mathematical operation.
RSA has exponentiation (raising the message or ciphertext
to the public or private values)
ECC has point multiplication (repeated addition of two
points).
37
Using Elliptic Curves In Cryptography
![Page 38: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/38.jpg)
38
Diffie-Hellman Key Exchange
![Page 39: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/39.jpg)
39
Diffie-Hellman Key Exchange
![Page 40: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/40.jpg)
40
Diffie-Hellman Key Exchange
![Page 41: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/41.jpg)
Public: Elliptic curve and point B=(x,y) on curve
Secret: Alice’s a and Bob’s b
Alice, A Bob, B
a(x,y)
b(x,y)
Alice computes a(b(x,y))
Bob computes b(a(x,y))
These are the same since ab = ba
41
ECC Diffie-Hellman
![Page 42: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/42.jpg)
Alice and Bob want to agree on a shared key.
Alice and Bob compute their public and private keys.
Alice
Private Key = a
Public Key = PA = a * B
Bob
Private Key = b
Public Key = PB = b * B
Alice and Bob send each other their public keys.
Both take the product of their private key and the other user’s public key.
Alice KAB = a(bB)
Bob KAB = b(aB)
Shared Secret Key = KAB = abB
42
Example – Elliptic Curve Diffie-Hellman Exchange
![Page 43: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/43.jpg)
43
Digital Signature Algorithm
![Page 44: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/44.jpg)
44
ECDSA
![Page 45: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/45.jpg)
45
ECDSA
1 1 1 1Since , ( ) ( ( )( ) )s k m ax s k m axm ax G m xa G kG
![Page 46: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/46.jpg)
How do we analyze Cryptosystems?
How difficult is the underlying problem that it is
based upon
RSA – Integer Factorization
DH – Discrete Logarithms
ECC - Elliptic Curve Discrete Logarithm problem
How do we measure difficulty?
We examine the algorithms used to solve these problems
46
Why use ECC?
![Page 47: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/47.jpg)
To protect a 128 bit
AES key it would take a:
RSA Key Size: 3072 bits
ECC Key Size: 256 bits
How do we strengthen
RSA?
Increase the key length
Impractical?
47
Security of ECC
![Page 48: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/48.jpg)
Many devices are small and have limited storage and computational power
Where can we apply ECC?Wireless communication devices
Smart cards
Web servers that need to handle many encryption sessions
Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems
48
Applications of ECC
![Page 49: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/49.jpg)
Same benefits of the other cryptosystems:
confidentiality, integrity, authentication and non-
repudiation but…
Shorter key lengths
Encryption, Decryption and Signature Verification
speed up
Storage and bandwidth savings
49
Benefits of ECC
![Page 50: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/50.jpg)
“Hard problem” analogous to discrete log Q=kP, where Q,P belong to a prime curve
given k,P “easy” to compute Q
given Q,P “hard” to find k
known as the elliptic curve logarithm problem
k must be large enough
ECC security relies on elliptic curve logarithm problem compared to factoring, can use much smaller key sizes than with RSA etc
for similar security ECC offers significant
computational advantages
50
Summary of ECC
![Page 51: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/51.jpg)
Introduction to Elliptic Curves
Elliptic Curve Cryptosystems
Implementation of ECC in Binary Fields
51
Agenda
![Page 52: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/52.jpg)
Implementation of ECC in Binary Fields
52
![Page 53: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/53.jpg)
ECC
Pointmultiplication:
kP
Group operation: point add/double
Finite field arithmetic: multiplication,addition, subtraction, inversion, …
Parallelize the architectures
Level 0
Level 1
Level 2
Level 3
53
ECC Operations : Hierarchy
![Page 54: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/54.jpg)
54
Exponentiation (xn)
![Page 55: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/55.jpg)
55
Point (Scalar) multiplication on ECC
![Page 56: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/56.jpg)
56
Montgomery’s ladder for Exponentiation
Ref) Handbook of Elliptic and Hyperelliptic Curve Cryptography, CH9
![Page 57: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/57.jpg)
57
Montgomery’s ladder on ECC
Ref) Handbook of Elliptic and Hyperelliptic Curve Cryptography, CH13
At each step, one performs one addition and one doubling, which makesThis method interesting against side-channel attacks !
![Page 58: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/58.jpg)
Input: k>0, P
Output: Q=kP
1. Set k<-(kl-1,…,k1,k0)2
2. Set P1=P, P2=2P
3. For i from l-2 to 0
If ki=1,
Set P1=P1+P2, P2=2P2
else
Set P2=P2+P1, P1=2P1
4. Return Q=P1
Invariant Property:
P=P2-P1
Question: How to implement the
Operation efficiently?
58
Montgomery’s method to perform scalar multiplication
![Page 59: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/59.jpg)
Compute 7P
7=(111)2
Initialization:
P1=P; P2=2P
Steps:
P1=3P, P2=4P
P1=7P, P2=8P
Compute 6P
7=(110)2
Initialization:
P1=P; P2=2P
Steps:
P1=3P, P2=4P
P2=7P, P1=6P
59
Example
![Page 60: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/60.jpg)
60
Non-adjacent form (NAF) method
Ref) Guide to Elliptic Curve Cryptography, page 98
q- on an elliptic curve is just as efficient as addition over P
![Page 61: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/61.jpg)
61
Non-adjacent form (NAF) methodNon-adjacent form
2
2
Like the name suggests, non-zero values c
The non-adjacent form (NAF) of a number is a unique signed-digit representation.
. For example:
(0 ) 4 2
ann
1 7
(1 0 ) 8 - 2
ot be
1 1 1
-1
adjacent
1
2
2
1 7
( ) 8 - 4 2 1 7
8 - 1 7
All are valid signed-digit representations of 7,
(1 0 0 -1)
but only the final representation (1
1 -1 1 1
0 0 -1) is
in NAF.
Ref) Guide to Elliptic Curve Cryptography, page 98
![Page 62: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/62.jpg)
62
Non-adjacent form (NAF) method
Ref) Guide to Elliptic Curve Cryptography, page 99
![Page 63: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/63.jpg)
63
Window method
Ref) Guide to Elliptic Curve Cryptography, page 99
![Page 64: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/64.jpg)
64
-End-
Thank you~
![Page 65: Discrete Math IIinfosec.pusan.ac.kr/.../2019/03/2-2.Security-Protocols-ECC_ver1.pdf · An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with](https://reader033.vdocuments.site/reader033/viewer/2022053015/5f13b90a3a6b4b6a8618c660/html5/thumbnails/65.jpg)
Slides Elliptic Curve Cryptography by Debdeep Mukhopadhyay, Dept of
Computer Sc and Engg IIT Madras
Books Elliptic Curves: Number Theory and Cryptography, by Lawrence C.
Washington
Guide to Elliptic Curve Cryptography, Darrel R. Hankerson, A. Menezes
and A. Vanstone
65
References