general attacks on elliptic curve based cryptosystems merabi chicvashvili ron ryvchin project...

General Attacks on General Attacks on Elliptic Curve Based Elliptic Curve Based

CryptosystemsCryptosystems

Merabi ChicvashviliMerabi Chicvashvili

Ron RyvchinRon Ryvchin

Project Advisor: Barukh ZivProject Advisor: Barukh Ziv

Spring 2014Spring 2014

Elliptic CurvesElliptic Curves

Point addition can be defined geometrically and Point addition can be defined geometrically and algebraically algebraically

Algebraic ApproachAlgebraic Approach

Point AdditionPoint Addition R = P + QR = P + Q s = (Ps = (Pyy – Q – Qyy) / (P) / (Pxx – Q – Qxx)) RRxx = s = s22 – P – Pxx – Q – Qxx

RRyy = s*(P = s*(Pxx – R – Rxx) - P) - Pyy

Point DoublingPoint Doubling R = 2·PR = 2·P s = (3·Ps = (3·Pxx

22 + a) / (2·P + a) / (2·Pyy)) RRxx = s = s22 – 2·P – 2·Pxx RRyy = s*(P = s*(Pxx – R – Rxx) - P) - Pyy

Cryptography with Elliptic CurvesCryptography with Elliptic Curves

Elliptic Curve EncryptionElliptic Curve Encryption

Attacking ECCAttacking ECCBest possible way is a ‘collision attack’ known as Best possible way is a ‘collision attack’ known as

Pollard’s rho attack ,taking O(Pollard’s rho attack ,taking O(nn1/21/2) curve additions, ) curve additions, where n is the order of the base pointwhere n is the order of the base point The Pohlig-Hellman algorithm reduces the size of the The Pohlig-Hellman algorithm reduces the size of the

problem.problem. ECDLP is reduced to ECDLP modulo each prime factor of nECDLP is reduced to ECDLP modulo each prime factor of n

As field size increases, the attack becomes harder at an As field size increases, the attack becomes harder at an exponential rateexponential rate

ECC key of 163 bits is equivalent to RSA key of 1024 ECC key of 163 bits is equivalent to RSA key of 1024 bitsbits

ECC key of 256 bits is equivalent to RSA key of 3072 ECC key of 256 bits is equivalent to RSA key of 3072 bitsbits

Pollard rho AlgorithmPollard rho Algorithm

Additive walksAdditive walks

Cycle detectionCycle detection

Performance Analysis - SpeedPerformance Analysis - Speed

Attack performance dependents on:Attack performance dependents on: Field arithmetic speed – provided by NTL Field arithmetic speed – provided by NTL

librarylibrary Curve arithmetic speed – selection of Curve arithmetic speed – selection of

coordinatescoordinates Algorithmic level – partition function, cycle Algorithmic level – partition function, cycle

detectiondetection

Performance Analysis – additive Performance Analysis – additive walk and partition functionwalk and partition function

Performance Analysis - Performance Analysis - coordinatescoordinates

Affine point addition:Affine point addition: 1 squaring, 2 multiplications, 1 inverse1 squaring, 2 multiplications, 1 inverse Inverse is expensive!Inverse is expensive!

Jacobian coordinates: x, y, zJacobian coordinates: x, y, zJacobian point addition:Jacobian point addition:

12 squarings, 4 multiplications, no inverse!12 squarings, 4 multiplications, no inverse!

Performance Analysis - Performance Analysis - coordinatescoordinates

Performance Analysis – cycle Performance Analysis – cycle detectiondetection

Brent’s cycle detection algorithm does less Brent’s cycle detection algorithm does less function evaluations than Floyd’s. In his work function evaluations than Floyd’s. In his work Brent claims that his algorithm improved Pollard Brent claims that his algorithm improved Pollard Rho performance by 24%, on average.Rho performance by 24%, on average.

Brent’s algorithm counts number of steps. At the Brent’s algorithm counts number of steps. At the end, we know the length of the cycle. end, we know the length of the cycle. We used this counter to improve the algorithm for We used this counter to improve the algorithm for

some cases of “rho” shape, staying with O(1) space some cases of “rho” shape, staying with O(1) space complexitycomplexity


““Perfect” cycle detection:Perfect” cycle detection:

• Tail = 2Tail = 2ii - 1 - 1• Cycle = 2Cycle = 2ii

• No redundant stepsNo redundant steps


““Worse” case:Worse” case:

• Tail = 2Tail = 2i i

• Cycle = 2Cycle = 2i i -1-1• Same number of steps to collisionSame number of steps to collision• The algorithm does (tail-1) + 2The algorithm does (tail-1) + 2 ii + cycle steps + cycle steps• Redundant steps: ~50%Redundant steps: ~50%


Worst case 1:Worst case 1:

• Very short or no tailVery short or no tail• An iteration finishes just one step An iteration finishes just one step

short of the possible collision point short of the possible collision point • Could finish in about 2Could finish in about 2i i steps, will steps, will

take twice moretake twice more

Worst case 2:Worst case 2:

… …

• After finishing the tail in ~2After finishing the tail in ~2 ii steps, we waste the same steps, we waste the same number of steps before we get the first green point on the number of steps before we get the first green point on the cyclecycle


““Middle point” improvement:Middle point” improvement:

• Remember the point after 2Remember the point after 2 i-1i-1 steps steps • Compare new points to both last “green” and “yellow” Compare new points to both last “green” and “yellow”

• Collision found after (tail – 1) + 2Collision found after (tail – 1) + 2 i-1i-1 + cycle steps + cycle steps • Saving: 2Saving: 2i-1i-1, which is ~1/6, which is ~1/6th th of the original resultof the original result• The saving is up to 1/4thThe saving is up to 1/4th

• Experimental measurements: ~50% of attacks were shortened, for each Experimental measurements: ~50% of attacks were shortened, for each challenge (key size) there was an attack that found middle point collision, challenge (key size) there was an attack that found middle point collision, speedup: speedup: 14-24%14-24%

ResultsResultsPrevious best results: 64 bits challenge in ~16 Previous best results: 64 bits challenge in ~16

hours (1,993,844,576 function calls)hours (1,993,844,576 function calls)Our best result: Our best result:

64 bits in ~42 minutes (436,215,366 function calls)64 bits in ~42 minutes (436,215,366 function calls) 70 bits in ~5 hours (4,924,092,173 function calls)70 bits in ~5 hours (4,924,092,173 function calls)

Full ResultsFull Resultschallenge

sizefunction evaluationstime (min)time (max)

(bits)minmaxaverage

30

24,176

77,424

37,974 0.05 sec 0.2 sec

40

365,389 2,200,397

1,125,607 1 sec 6 sec

50 5,471,207

54,876,055

25,661,003 18 sec 197 sec

64

436,215,366

6,261,487,497

3,499,239,651 2507 sec (42 min) 23917 sec (~7 hours)

70

4,924,092,173

90,946,847,050

38,666,966,411 17878 sec (~5

hours) 328611 sec (~4 days)

Special ChallengeSpecial Challenge

Special ChallengeSpecial Challenge

Since the order of the curve is not a prime Since the order of the curve is not a prime number we applied Pohlig-Hellman reduction to number we applied Pohlig-Hellman reduction to this challenge.this challenge.

Although n is large, its largest prime factor is Although n is large, its largest prime factor is 28202267.28202267.

The whole attack finished in about 3 minutes.The whole attack finished in about 3 minutes.

BibliographyBibliography V. Shoup, "NTL: A Library for doing Number Theory" V. Shoup, "NTL: A Library for doing Number Theory"

http://www.shoup.net/ntl/http://www.shoup.net/ntl/ Darrel Hankerson, Alfred Menezes, Scott Vanstone, “Guide to Elliptic Darrel Hankerson, Alfred Menezes, Scott Vanstone, “Guide to Elliptic

Curve Cryptography”.Curve Cryptography”. I. Duursma, P. Gaudry, and F. Morain, “Speeding up the Discrete Log I. Duursma, P. Gaudry, and F. Morain, “Speeding up the Discrete Log

Computation on Curves with Automorphisms”Computation on Curves with Automorphisms” Róbert Lórencz, “New Algorithm for Classical Modular Inverse”.Róbert Lórencz, “New Algorithm for Classical Modular Inverse”.

general attacks on elliptic curve based cryptosystems merabi chicvashvili ron ryvchin project...

Documents