ECE578/7 #1 Spring 2010 © , Richard A. Stanley ECE578: Cryptography 7: Elliptic Curve Cryptographic Systems Professor Richard A. Stanley, P.E.
ECE578/7 #2 Spring 2010 © , Richard A. Stanley Last time… Elliptic curves may be useful for obtaining keys to use in asymmetric cryptography ECC numbers are an order of magnitude smaller than RSA numbers for equivalent levels of security…we think! Elliptic curves must meet certain requirements to be useful
ECE578/7 #3 Spring 2010 © , Richard A. Stanley ECC Drawbacks Not as well studied as RSA and DL-base public-key schemes Conceptually more difficult. Finding secure curves in the set-up phase is computationally expensive
ECE578/7 #4 Spring 2010 © , Richard A. Stanley Elliptic Curve Definition
ECE578/7 #5 Spring 2010 © , Richard A. Stanley
ECE578/7 #6 Spring 2010 © , Richard A. Stanley Objective Goal: Finding a (cyclic) group (G, o) so that we can use the DL problem as a one-way function. We have a set (points on the curve). We “only” need a group operation on the points.
ECE578/7 #7 Spring 2010 © , Richard A. Stanley Abelian Groups An abelian group, also called a commutative group, is a group (G, * ) with the additional property that the group operation * is commutative, so that for all a and b in G, a * b = b * a Every cyclic group G is abelian
ECE578/7 #8 Spring 2010 © , Richard A. Stanley Elliptic Curves An elliptic curve is a plane curve defined by an equation of the form y 2 = x 3 + ax + b The set of points on such a curve (i.e., all solutions of the equation together with a point at infinity) can be shown to form an abelian group If the x and y are chosen from a large finite field, the solutions form a finite abelian group
ECE578/7 #9 Spring 2010 © , Richard A. Stanley Why Bother? For asymmetric cryptosystems, multiplication on elliptic curves can be used instead of exponentiation in finite fields Key sizes seem to increase only linearly for increased security, not exponentially Might this be useful in dealing with issues of computational complexity?
ECE578/7 #10 Spring 2010 © , Richard A. Stanley Elliptic Curve Cryptography Symmetric Key Size RSA and Diffie- Hellman Key Size Elliptic Curve Key Size bits
ECE578/7 #11 Spring 2010 © , Richard A. Stanley Elliptic Curve Cryptography Security LevelComputation Ratio bitsDH Cost : EC Cost 803:1 1126: : : :1
ECE578/7 #12 Spring 2010 © , Richard A. Stanley Diffie-Hellman Key Exchange-1 Alice and Bob agree on a large prime, n and g, where g is primitive mod n. These need not be kept secret Alice chooses a large random integer x and sends to Bob: X=g x mod n Bob chooses a large random integer y and sends to Alice: Y=g y mod n NB: x and y are never transmitted
ECE578/7 #13 Spring 2010 © , Richard A. Stanley Diffie-Hellman Key Exchange-2 Alice computes k=Y x mod n Bob computes k’=X y mod n But k = k’ = g xy mod n Therefore, Bob and Alice now have a secret key, k, that they can share for communications Eavesdroppers know only n, g, X, and Y, not x or y, which are required to compute k
ECE578/7 #14 Spring 2010 © , Richard A. Stanley Diffie-Hellman Security D-H security depends on the difficulty of factoring large numbers (size of n) It is computationally infeasible to recover x and y from the data known to an eavesdropper by any means other than exhaustive key search Caveats –n must be large –((n-1)/2) should also be prime –g can be small -- even one digit
ECE578/7 #15 Spring 2010 © , Richard A. Stanley Diffie-Hellman Key Exchange (ECC) The cryptosystem is completely analogous to D-H in Z * p Setup –Choose E: y 2 = x 3 + ax + b mod p –Choose primitive element α = (x α ; y α )
ECE578/7 #16 Spring 2010 © , Richard A. Stanley Protocol
ECE578/7 #17 Spring 2010 © , Richard A. Stanley Security
ECE578/7 #18 Spring 2010 © , Richard A. Stanley Attacks Only possible attacks against elliptic curves are the Pohlig- Hellman scheme together with Shank's algorithm or Pollard's- Rho method – #E must have one large prime factor p l – p l So-called “Koblitz curves" (curves with a; b { 0; 1} For supersingular elliptic curves over GF(2 n ), DL in elliptic curves can be solved by solving DL in GF(2 kn ); k 6 –stay away from supersingular curves despite of possible faster implementations. Powerful index-calculus method attacks are not yet applicable
ECE578/7 #19 Spring 2010 © , Richard A. Stanley Menezes-Vanstone Encryption Set-up:
ECE578/7 #20 Spring 2010 © , Richard A. Stanley Encryption
ECE578/7 #21 Spring 2010 © , Richard A. Stanley Decryption
ECE578/7 #22 Spring 2010 © , Richard A. Stanley Disadvantage Message expansion factor: Which means?
ECE578/7 #23 Spring 2010 © , Richard A. Stanley Implementation Hardware: –Approximately 0.2 msec for an elliptic curve point multiplication with 167 bits on an FPGA Software: –One elliptic curve point multiplication aP in less than 10 msec over GF(2 155 ). –Implementation on 8-bit smart card processor without coprocessor available
ECE578/7 #24 Spring 2010 © , Richard A. Stanley ElGamal Encryption Scheme Published in 1985 Based on the DL problem in Z * p or GF(2 k ) Extension of the D-H key exchange for encryption
ECE578/7 #25 Spring 2010 © , Richard A. Stanley El Gamal Protocol
ECE578/7 #26 Spring 2010 © , Richard A. Stanley Setup
ECE578/7 #27 Spring 2010 © , Richard A. Stanley Encryption
ECE578/7 #28 Spring 2010 © , Richard A. Stanley Decryption
ECE578/7 #29 Spring 2010 © , Richard A. Stanley How Does It Work?
ECE578/7 #30 Spring 2010 © , Richard A. Stanley Remarks
ECE578/7 #31 Spring 2010 © , Richard A. Stanley Computational Aspects Encryption Decryption
ECE578/7 #32 Spring 2010 © , Richard A. Stanley Efficiency Issues
ECE578/7 #33 Spring 2010 © , Richard A. Stanley Efficiency (con’t.)
ECE578/7 #34 Spring 2010 © , Richard A. Stanley Security of ElGamal
ECE578/7 #35 Spring 2010 © , Richard A. Stanley Security of El Gamal (con’t.)
ECE578/7 #36 Spring 2010 © , Richard A. Stanley Summary - ECC Elliptic curves can be used to produce elements in a finite field that are: –More efficient to generate –More difficult to reconstruct with partial data For equivalent security, the key sizes needed with ECC increase linearly; for RSA, they increase exponentially
ECE578/7 #37 Spring 2010 © , Richard A. Stanley Next: The Advanced Encryption Standard (AES)
ECE578/7 #38 Spring 2010 © , Richard A. Stanley Why a New Crypto Standard? DES now vulnerable to brute force key search 3DES still viable option, but key management a problem Implementation speeds in software disappointing Need to have national crypto standard even more critical than in the 1970’s
ECE578/7 #39 Spring 2010 © , Richard A. Stanley Basic Facts about AES Successor to DES AES selection process was administered by NIST Unlike DES, the AES selection was an open (i.e., public) process Likely to be the dominant secret-key algorithm in the next decade Main AES requirements by NIST: –Block cipher with 128 I/O bits –Three key lengths must be supported: 128/192/256 bits –Security relative to other submitted algorithms –Efficient software and hardware implementations
ECE578/7 #40 Spring 2010 © , Richard A. Stanley Chronology of the AES Process Development announced on January 2, 1997 by the National Institute of Standards and Technology (NIST) 15 candidate algorithms accepted on August 20th, finalists announced August 9th, 1999 –Mars, IBM Corporation –RC6, RSA Laboratories –Rijndael, J. Daemen & V. Rijmen –Serpent, Eli Biham et al. –Twofish, B. Schneier et al. October 2nd, 2000, NIST chooses Rijndael as the AES
ECE578/7 #41 Spring 2010 © , Richard A. Stanley Comparison of Contenders
ECE578/7 #42 Spring 2010 © , Richard A. Stanley Blowfish
ECE578/7 #43 Spring 2010 © , Richard A. Stanley Twofish
ECE578/7 #44 Spring 2010 © , Richard A. Stanley Rijndael Overview
ECE578/7 #45 Spring 2010 © , Richard A. Stanley Block Size/Key Length Both block size and keylength of Rijndael are variable. Sizes shown below are the ones required by the AES Standard. The number of rounds (or iterations) is a function of the key length:
ECE578/7 #46 Spring 2010 © , Richard A. Stanley Rijndael vs. AES AES utilizes a subset of Rijndael capabilities Rijndael allows block sizes of 192 and 256 bits, but AES does not permit these larger block sizes If larger block sizes are used, the number of rounds must be increased
ECE578/7 #47 Spring 2010 © , Richard A. Stanley Important Rijndael does not have a Feistel structure Feistel networks do not encrypt an entire block per iteration (e.g., in DES, 64/2 = 32 bits are encrypted in one iteration) Rijndael encrypts all 128 bits in one iteration. As a consequence, Rijndael has a comparably small number of rounds
ECE578/7 #48 Spring 2010 © , Richard A. Stanley Rijndael Structure Rijndael is a substitution-permutation network Rijndael uses three different types of layers Each layer operates on all 128 bits of a block
ECE578/7 #49 Spring 2010 © , Richard A. Stanley Rijndael Layers Key Addition Layer: XORing of subkey. Byte Substitution Layer: 8-by-8 SBox substitution. Diffusion Layer: provides diffusion over all 128 (or 192 or 256) block bits. It is split in two sub-layers: –ShiftRow Layer –MixColumn Layer
ECE578/7 #50 Spring 2010 © , Richard A. Stanley Operations ByteSubstitution Layer introduces confusion with a non-linear operation. ShiftRow and MixColumn stages form a linear Diffusion Layer
ECE578/7 #51 Spring 2010 © , Richard A. Stanley Rijndael Block Diagram (encryption)
ECE578/7 #52 Spring 2010 © , Richard A. Stanley A Walk Through Rijndael One must be very careful when using Wikipedia references. However, this one has been vetted and is accurate as at today: ryption_Standardhttp://en.wikipedia.org/wiki/Advanced_Enc ryption_Standard We’ll look at the description of how Rijndael works in some detail
ECE578/7 #53 Spring 2010 © , Richard A. Stanley Affine Transformation Mapping between two vector spaces consisting of a linear transformation followed by a translation: X Ax + b Preserves: –Co linearity between points, i.e., three points which lie on a line continue to be collinear after the transformation –Ratios of distances along a line
ECE578/7 #54 Spring 2010 © , Richard A. Stanley Another View of Byte Substitution Splits the incoming 128 bits into 128/8 = 16 bytes. Each byte A is considered an element of GF(2 8 ) and undergoes the following substitution individually: B = A -1 GF(2 8 ) where P(x) = x 8 + x 4 + x 3 + x + 1
ECE578/7 #55 Spring 2010 © , Richard A. Stanley Byte Substitution Affine Transformation
ECE578/7 #56 Spring 2010 © , Richard A. Stanley All About C The vector C = (c 7 ··· c 0 ) (representing the field element c 7 x 7 + ··· + c 1 x + c 0 ) is the result of the substitution: C = ByteSub(A) The entire substitution can be realized as a look-up in a 256x8-bit table with fixed entries Unlike DES, Rijndael applies the same S-Box to each byte
ECE578/7 #57 Spring 2010 © , Richard A. Stanley Diffusion Layer Unlike the non-linear substitution layer, the diffusion layer performs a linear operation on input words A,B. That means: DIFF(A) DIFF(B) = DIFF(A + B) The diffusion layer consists of two sublayers: –ShiftRow SubLayer –MixColumn SubLayer
ECE578/7 #58 Spring 2010 © , Richard A. Stanley ShiftRow SubLayer - 1 Write an input word A as 128/8 = 16 bytes and order them in a square array: Input A = (a 0, a 1, …, a 15 )
ECE578/7 #59 Spring 2010 © , Richard A. Stanley ShiftRow SubLayer – 2 Shift cyclically row-wise as follows:
ECE578/7 #60 Spring 2010 © , Richard A. Stanley MixColumn SubLayer Principle: each column of 4 bytes is individually transformed into another column How? Each 4-byte column is considered as a vector and multiplied by a 4x4 matrix. The matrix contains constant entries. Multiplication and addition of the coecients is done in GF(2 8 )
ECE578/7 #61 Spring 2010 © , Richard A. Stanley MixColumn SubLayer Matrices
ECE578/7 #62 Spring 2010 © , Richard A. Stanley Rijndael Keys Analogous to DES, the key provided with AES is a seed key, which is processed within the system to produce round keys The procedure to generate separate round keys from the seed key is known as the Rijndael key schedule
ECE578/7 #63 Spring 2010 © , Richard A. Stanley Key Addition Layer Simple bitwise XOR with a 128-bit subkey AES (Rijndael) uses a key schedule to expand a short key into a number of separate round keys. This is known as the Rijndael key schedule. _schedulehttp://en.wikipedia.org/wiki/Rijndael_key _schedule
ECE578/7 #64 Spring 2010 © , Richard A. Stanley Rijndael Thoughts FIPS PUB 197 is the official standard Based on what you have seen of how encryption proceeds, can decryption proceed in the same way as for DES?
ECE578/7 #65 Spring 2010 © , Richard A. Stanley Rijndael Block Diagram (decryption)
ECE578/7 #66 Spring 2010 © , Richard A. Stanley Rijndael Decryption Unlike DES and other Feistel ciphers, all of the Rijndael layers must actually be inverted How can this be accomplished?
ECE578/7 #67 Spring 2010 © , Richard A. Stanley AES Uses in Defense Systems DES and 3DES were never allowed for transmitting classified information CNSS Policy #15, FS-1, June 2003 states that AES may be used for classified information, subject to FIPS –SECRET at all key lengths –TOP SECRET at key lengths of 192 or 256 Issues/problems?
ECE578/7 #68 Spring 2010 © , Richard A. Stanley Attacks on AES? What did you find in your homework? Do any of these seem plausible? What about in years? AES has been criticized as being too algebraically deterministic. Your thoughts? Spring 2008 © , Richard A. Stanley
ECE578/7 #69 Spring 2010 © , Richard A. Stanley AES Summary AES uses a subset of the capabilities of the Rijndael algorithm AES is becoming widely used, and is the default in many common applications A change from many of its predecessors, AES is a substitution-permutation network AES decryption requires a decryption engine to invert the encryption transforms
ECE578/7 #70 Spring 2010 © , Richard A. Stanley Homework Read Stinson, Chapter 3.6 Research the topic of elliptic curve cryptography. Choose a cryptosystem and describe its advantages and disadvantages. Is it in wide use? Why or why not? Some researchers have reported breaking AES. Find one or more of these claims and evaluate its significance or lack thereof.