Advanced Information Security 1 INTRODUCTION TO ECC Dr. Turki F. Al-Somani

Module Outlines  Introdcution to Cryptography  Symmetric Key Cryptography  Public Key Cryptography  Elliptic Curve Cryptosystems  Point Operations  Scalar Multiplication  Projective Coordinates  Field Operations  Challenges, Opportunities 2

Cryptography Definitions  Encryption is a process by which a message (called plaintext) is transformed into another message (called ciphertext) using a mathematical function and a special encryption password (called a key).  Decryption is the reverse process: transforming a ciphertext message back into its original plaintext form using a mathematical function and a key.  The mathematical functions and keys used for encryption and decryption may be the same, or may be different. 3

Cryptography Definitions Symmetric key cryptography: encryption and decryption keys are identical, so the key must be kept secret. (This approach is also called secret key cryptography.) Public key cryptography: different keys for encryption and decryption (one public, the other private). plaintext ciphertext K A encryption algorithm decryption algorithm Alice’s encryption key Bob’s decryption key K B 4

Symmetric Key Cryptography  Same key decrypts and encrypts information.  The encryption functions used need not be secret, but the keys used must be secret.  The encryption and decryption functions used can be the same or different.  Examples:  ROT13: Very simple rotation algorithm  Caesar cipher: Another (better) rotation algorithm  crypt: Original Unix encryption program  DES: Data Encryption Standard  AES: Advanced Encryption Standard  Skipjack: U.S. National Security Agency developed algorithm (classified) 5

Symmetric Key Cryptography  Cryptographic algorithms involve substituting one thing for another, in many possible ways.  Caesar cipher: substitute each letter by the letter that appears k letters later in the alphabet; while producing what looks like gibberish, there are only 25 possible keys available.  Mono-alphabetic cipher: substitute one letter for another; now there are 26! possibilities.  Poly-alphabetic cipher: each letter could be substituted by multiple other possible letters; for example, by using several mono-alphabetic ciphers, depending on the position in the message. plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: 6

Symmetric Key Cryptography Q: How hard is it to break these simple ciphers?  Brute force: attempt all possibilities  Simple with the Caesar cipher, but gets quite difficult with mono-alphabetic or poly-alphabetic ciphers.  Ciphertext-only attack: use statistics and other information to decrypt intercepted ciphertext  For example, simple statistics on letter placement and occurrence in English makes further decryption simpler.  Known-plaintext attack: if some of the plaintext is known, one could uncover some of the plaintext-ciphertext mappings, making decryption easier.  For example, if we knew “ alice ” was in the message, we get some of the mappings right away without much difficulty.  Chosen-plaintext attack: the intruder can choose the plaintext message and receive the ciphertext form.  It gets much easier to decrypt messages; mono-alphabetic ciphers are easily broken, and poly-alphabetic ciphers get much easier too. 7

Symmetric Key Cryptography: Key Issues Symmetric key cryptography: Bob and Alice share the same (symmetric) key: K  For example, the key is knowing substitution pattern in a monoalphabetic substitution cipher.  Question: How do Bob and Alice agree on key value? What if Bob and Alice have never “ met ” before?  Even Better Question: How is the agreed upon key distributed to both Bob and Alice in a secure fashion? plaintext ciphertext K A-B encryption algorithm decryption algorithm K A-B plaintext message, m K (m) A-B K (m) A-B m = K ( ) A-B 8

General approaches to Cryptography  There are two general encryption methods: Block ciphers & Stream ciphers  Block ciphers  Slice message M into (fixed size blocks) m 1, …, m n Add padding to last block  Use E k to produce (ciphertext blocks) x 1, …, x n  Use D k to recover M from m 1, …, m n  Stream ciphers  Generate a long random string (or pseudo random) called one-time pad.  Message XOR one-time pad 9

Stream Ciphers  Binary pad (keystream), use XOR instead of addition  Plaintext = original, unencrypted data  Ciphertext = encrypted data Plaintext Keystream XOR Ciphertext Keystream XOR Plaintext  Two XORs with the same data always cancel out 10

Stream Ciphers  Using the keystream and ciphertext, we can recover the plaintext  But, using the plaintext and ciphertext, we can recover the keystream  Using two ciphertexts from the same keystream, we can recover the XOR of the plaintexts  Any two components of an XOR-based encryption will recover the third  Never reuse a key with a stream cipher  Better still, never use a stream cipher 11

Block Ciphers  Originated with early 1970 ’ s IBM effort to develop banking security systems  First result was Lucifer, most common variant has 128-bit key and block size  It wasn ’ t secure in any of its variants Called a Feistel or product cipher 12

Block Ciphers  f()-function is a simple transformation, doesn ’ t have to be reversible  Each step is called a round; the more rounds, the greater the security (to a point)  Most famous example of this design is DES:  16 rounds  56 bit key  64 bit block size (L,R = 32 bits)  Designed by IBM with, uh, advice from the NSA 13

Public Key Cryptography Symmetric key cryptography  Requires both the sender and receiver to know the shared secret key.  Question: how do they agree on the key in the first place (particularly if they have never “ met ” )? Public key cryptography Radically different approach [Diffie- Hellman76, RSA78]. Sender and receiver do not share secret key. Public encryption key known to all. Private decryption key known only by the owner. 14

Public Key Cryptography  Keys are generated in pairs.  Public key is publicly registered so everyone knows it, and private one is kept secret by the owner.  Each key can decrypt what the other encrypts, but not what it encrypts itself. (That ’ s why this is sometimes called assymetric cryptography.)  Important properties of key generation:  There is a one-to-one correspondence in the generated key pairs – if one key can decrypt a message, it must have been encrypted by the other.  It must be extremely difficult, if not impossible, to deduce the private key when given a public key. 15

Public Key Cryptography plaintext message, m ciphertext encryption algorithm decryption algorithm Bob’s public key plaintext message K (m) B + K B + Bob’s private key K B - m = K ( K (m) ) B + B - 16

Public Key Cryptography This property will be very useful later: K ( K (m) ) = m B B - + K ( K (m) ) A A + - = use public key first, followed by private key use private key first, followed by public key Result is the same! 17

Public Key Encryption Algorithms  Diffie-Hellman: the first public key approach proposed.  RSA: the best known public key system, developed by Rivest, Shamir, and Adleman (hence RSA). Patents on this approach expired recently, allowing others to take advantage of it without licensing from RSA Security Inc.  DSA: Digital Signature Algorithm, developed by the U.S. National Security Agency (NSA).  Elliptic Curve Cryptosystems (ECC) 18

Symmetric vs. Public Key Cryptography Which method provides stronger security?  With suitable keys and algorithms, both methods can be secure enough for most purposes. Which method is more convenient?  To use symmetric cryptography, both parties must know the secret key, which can be quite inconvenient.  To use public key cryptography, one only needs to find the public key to communicate with someone else, which can be a lot more convenient. Which method performs better?  Encrypting and decrypting a lot of information with public key cryptography can be painfully slow in comparison to symmetric cryptography. 19

Hybrid Secret-Public Key Cryptography  Ideally, we would like to combine the strengths of symmetric and public key cryptography, and avoid their weaknesses.  We want the efficiency of symmetric cryptography combined with the ease of use and convenience of public key cryptography.  When two parties want to communicate securely, public key cryptography is used to exchange a random symmetric session key.  Since the session key is encrypted, we can ensure secrecy and mutual authentication.  Thus, key distribution and setup is easy and risk-free. 20

Hybrid Secret-Public Key Cryptography  To communicate, symmetric cryptography is used with the session key.  Since only these two parties know the session key, the messages are secure.  Since secret key cryptography is used, this can be done relatively efficiently.  When done, both parties destroy the session key. If communication is required in the future, this process is repeated from the beginning to obtain a completely new session key.  This general approach is used in Pretty Good Privacy (PGP) and elsewhere. 21

Elliptic Curve Cryptosystems  What are Elliptic Curve Cryptosystems (ECCs)?  An ECC is a cryptography system based on elliptic curve theory that can be used as a faster, smaller, and more efficient cryptosystem.  Who introduced it and when?  Miller and Koblitz (independently) in mid 1980s.  What is the basic principle?  Obtaining the same level of security as conventional cryptosystems but with much smaller key size. 22

Why ECC ?  RSA and ElGamal  Based on Integer Factorization Problem (IFP)  There exist sub-exponential algorithms for solving such problem.  ECC  Based on Elliptic Curve Discrete Logarithm Problem (ECDPL)  There is no sub-exponential algorithm known for solving ECDPL.  ECC is more secure than RSA or ElGamal  using much smaller key size can achieve the same security as RSA or ElGamal with large key size.  RSA and ElGamal (1-2k bits).  ECC 160-bits only.. !!  Standardized by ANSI, IEEE, NIST, SEC and WTLS. 23

24 Point Addition Q P3 P1 P2  Steps to find sum of two points:  Join P1 and P2  Line meets the curve at Q  The result is the replica of Q around x-axis, P3.  P1 + P2 = P3

25 Point Doubling What would happen if the two points lies on each other. Adding a point to itself (doubling) Draw a tangent line through P, Line meets the curve at R ', The result is the replica of R ' around x-axis, R P+P = 2P = R R'R' R P

26 Scalar Multiplication  Also called point multiplication  KP = P + P + P + … + P (K times)  Where K is an integer. 3P 2P P

27 Elliptic Curve Discrete Logarithm Problem (ECDLP) Given an elliptic curve and a basis point P, we can compute Q = KP through k-1 iterative point additions. Question: Is it possible to compute K when the point Q is known? Answer: This is a hard problem known as the Elliptic Curve Discrete Logarithm (ECDLP). Q = (x 3,y 3 ) = 3(x 1,y 1 )

28 Scalar Multiplication Algorithms  K can be expanded to binary representation. INPUTK, P OUTPUT KP 1.Initialize Q[0] = , Q[1] = P 2for i = 0 to n-1 3 if k[i] = 1 then 4 Q[0] = ADD(Q[0],Q[1]) 5 end if 6 Q[1] = DBL(Q[1]) 7end for 8return Q[0] INPUTK, P OUTPUT KP 1.Initialize Q[0] = P 2for i = n-2 downto 0 3 Q[0] = DBL(Q[0]) 4 if k[i] = 1 then 5 Q[0] = ADD(Q[0],P) 6 end if 7end for 8return Q[0]

Finite Fields  GF(p) (Prime finite field)  Elements are integers modulo p (0,1..p-1)  Operations are performed modulo p.  The prime number p is called the modulus of GF(p).  GF(2 m ) (Binary finite field)  Elements are polynomials with degree < m and coefficients modulo 2  Operations are performed modulo a reduction polynomial with degree = m.  The reduction polynomial is called the irreducible polynomial of GF(2 m ). 29

ECC Algebraic Approach  In E/GF(p)  Addition  Doubling  In E/GF(2 m )  Addition  Doubling 30

Projective Coordinates  Projective coordinate system  (x, y) → (X, Y, Z) only 1 inversion.  Projective Coordinate Systems:  Homogenous (X/Z, Y/Z)  Jacobian (X/Z 2, Y/Z 3 )  Lopez-Dahab (X/Z, Y/Z 2 )  Mixed  Edwards Coordinates 31

Why Projective Coordinates ?  In E/GF(p)  One inversion operation costs  9 to 30 multiplications for 100 bits or more field elements  In E/GF(2 m )  One inversion operation costs  Multiplications w(m-1) = # of 1s in the binary representation of (m-1) Transferring the point coordinates into another coordinates that can eliminate the intermediate inversions is very important requirement Projective point Scalar Multiplication Affine point 32

33 Filed Arithmetic: GF(2 m )  Finite fields Computations:  coding theory and  public-key cryptosystems.  The most commonly used basis are:  polynomial basis (PB)  and normal basis (NB). rotation, shifting, and XORing

Challenges, Opportunities and more..  Efficient Designs and Architectures (Area, Time & Power):  Scalar Multiplication Algorithms  Projective Coordinate Systems  Field Arithmetic 34

Challenges, Opportunities and more..  Security Against Side Channel Attacks  Every computing device acts also as a source of additional information called side channel leak information  There are many side channel attacks in the literature Fault Data-dependent Power Consumed Operation dependent Data-and-operation dependent Execution time Data-and-operation dependent Magnetic field Operation dependent Data-and-operation dependent 35

Challenges, Opportunities and more..  Security Against Side Channel Attacks (a) Power consumption trace of ECC scalar multiplication. (b) Power consumption trace of ECC point doubling operation. 36

Challenges, Opportunities and more..  Implantations: ASIC, FPGA, Smart Cards, WSN, … 37

Challenges, Opportunities and more..  Parallel & Pipelined ECCs 38

THANKS & GOOD LUCK NEXT IS: 2 SCALAR MULTIPLICATION Dr. Turki F. Al-Somani