Security of Using Special Integers in Elliptic Scalar Multiplication Mun-Kyu Lee o Jin Wook Kim Kunsoo Park School of CSE, Seoul National University.

Slides:



Advertisements
Similar presentations
Randomized Signed-Scalar Multiplication of ECC to Resist Power Attacks JaeCheol Ha * and SangJae Moon ** * Korea Nazarene University **
Advertisements

Are standards compliant Elliptic Curve Cryptosystems feasible on RFID?
Introduction to Elliptic Curves. What is an Elliptic Curve? An Elliptic Curve is a curve given by an equation E : y 2 = f(x) Where f(x) is a square-free.
1 390-Elliptic Curves and Elliptic Curve Cryptography Michael Karls.
22C:19 Discrete Structures Integers and Modular Arithmetic
Topics covered: Floating point arithmetic CSE243: Introduction to Computer Architecture and Hardware/Software Interface.
Divide and Conquer. Recall Complexity Analysis – Comparison of algorithm – Big O Simplification From source code – Recursive.
Nattee Niparnan. Recall  Complexity Analysis  Comparison of Two Algos  Big O  Simplification  From source code  Recursive.
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Algorithm Design Strategy Divide and Conquer. More examples of Divide and Conquer  Review of Divide & Conquer Concept  More examples  Finding closest.
YSLInformation Security -- Public-Key Cryptography1 Elliptic Curve Cryptography (ECC) For the same length of keys, faster than RSA For the same degree.
ELECTRONIC PAYMENT SYSTEMSFALL 2002COPYRIGHT © 2002 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
Elliptic Curve Cryptography (ECC) Mustafa Demirhan Bhaskar Anepu Ajit Kunjal.
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
CS470, A.SelcukElGamal Cryptosystem1 ElGamal Cryptosystem and variants CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
CSC 2300 Data Structures & Algorithms January 30, 2007 Chapter 2. Algorithm Analysis.
Copyright 2008 Koren ECE666/Koren Part.6a.1 Israel Koren Spring 2008 UNIVERSITY OF MASSACHUSETTS Dept. of Electrical & Computer Engineering Digital Computer.
ELECTRONIC PAYMENT SYSTEMSFALL 2001COPYRIGHT © 2001 MICHAEL I. SHAMOS Electronic Payment Systems Lecture 6 Epayment Security II.
CPE5021 Advanced Network Security --- Advanced Cryptography: Elliptic Curve Cryptography --- Lecture 3 CPE5021 Advanced Network Security --- Advanced Cryptography:
By Abhijith Chandrashekar and Dushyant Maheshwary.
Elliptic Curve Cryptography
Copyright © Cengage Learning. All rights reserved. CHAPTER 2 THE LOGIC OF COMPOUND STATEMENTS THE LOGIC OF COMPOUND STATEMENTS.
Lecture 10: Elliptic Curve Cryptography Wayne Patterson SYCS 653 Fall 2009.
MATH 224 – Discrete Mathematics
General Fixed Radix Number Systems Nonredundant Positive radix, ß n digits in digit set Vector:
Application of Elliptic Curves to Cryptography
Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei
CS 627 Elliptic Curves and Cryptography Paper by: Aleksandar Jurisic, Alfred J. Menezes Published: January 1998 Presented by: Sagar Chivate.
Data Representation - Part I. Representing Numbers Choosing an appropriate representation is a critical decision a computer designer has to make The chosen.
Probability and inference Random variables IPS chapters 4.3 and 4.4 © 2006 W.H. Freeman and Company.
Basic Concepts in Number Theory Background for Random Number Generation 1.For any pair of integers n and m, m  0, there exists a unique pair of integers.
Computer Science CSC 774 Advanced Network Security Topic 2.6 ID Based Cryptography #2 Slides by An Liu.
Integer Representation for People Computer Organization and Assembly Language: Module 3.
Chapter 2: The Logic of Compound Statements 2.5 Application: Number Systems and Circuits for Addition 1 Counting in binary is just like counting in decimal.
Elliptical Curve Cryptography Manish Kumar Roll No - 43 CS-A, S-7 SOE, CUSAT.
Research on the Discrete Logarithm Problem Wang Ping Meng Xuemei
1 Hash Functions. 2 A hash function h takes as input a message of arbitrary length and produces as output a message digest of fixed length
Elliptic curve cryptography ECC is an asymmetric cryptosystem based on the elliptic curve discrete log problem. The ECDLP arises in Abelian groups defined.
Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Tim Güneysu, Christof Paar and Jan Pelzl.
Binary A double zero educational presentation. Binary Basics Binary is the language computers use Only 1’s and 0’s can be found in Binary Very large numbers.
AUTHOR: NIZAR BEN NEJI, ADEL BOUHOULA PUBLISHER: IEEE INTERNATIONAL CONFERENCE,2011 PRESENTER: KAI-YANG LIU DATE:2011/08/31 1 NAF Conversion: An Efficient.
Unconventional Fixed-Radix Number Systems
An Introduction to Elliptic Curve Cryptography
Greatest Common Divisors & Least Common Multiples  Definition 4 Let a and b be integers, not both zero. The largest integer d such that d|a and d|b is.
11 RSA Variants.  Scheme ◦ Select s.t. p and q = 3 mod 4 ◦ n=pq, public key =n, private key =p,q ◦ y= e k (x)=x (x+b) mod n ◦ x=d k (y)=  y mod n.
Elliptic Curve Crypto & ECC Diffie-Hellman Presenter: Le Thanh Binh.
Lecture 11: Elliptic Curve Cryptography Wayne Patterson SYCS 653 Fall 2008.
1 Network Security Dr. Syed Ismail Shah
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Remarks on Fast Exp (4/2) How do we measure how fast any algorithm is? Definition. The complexity of an algorithm is a measure of the approximate number.
1 Cryptanalysis Lab Elliptic Curves. Cryptanalysis Lab Elliptic Curves 2 Outline [1] Elliptic Curves over R [2] Elliptic Curves over GF(p) [3] Properties.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
1 Objective To provide background material in support of topics in Digital Image Processing that are based on matrices and/or vectors. Review Matrices.
Motivation Basis of modern cryptosystems
Giuseppe Bianchi Lecture 8: Elliptic Curve Crypto A (minimal) introduction.
Elliptic Curve Public Key Cryptography Why ? ● ECC offers greater security for a given key size. ● The smaller key size also makes possible much more compact.
Elliptic Curve Public Key Cryptography
Network Security Design Fundamentals Lecture-13
D. Cheung – IQC/UWaterloo, Canada D. K. Pradhan – UBristol, UK
Elliptic Curves.
Review Graph Directed Graph Undirected Graph Sub-Graph
CDA 3101 Spring 2016 Introduction to Computer Organization
Elliptic Curve Cryptography (ECC)
CDA 3101 Summer 2007 Introduction to Computer Organization
Elliptic Curve Cryptography (ECC)
Practical Aspects of Modern Cryptography
Cryptology Design Fundamentals
Network Security Design Fundamentals Lecture-13
Presentation transcript:

Security of Using Special Integers in Elliptic Scalar Multiplication Mun-Kyu Lee o Jin Wook Kim Kunsoo Park School of CSE, Seoul National University

1. Preliminaries

3/33 Elliptic Curve n A curve of the form y 2 + xy = x 3 + ax 2 + b or y 2 = x 3 + ax + b n There are many cryptosystems that use elliptic curve operations.

4/33 Elliptic Curve Operations [1] n Point Addition: R = P + Q –First, draw the line through P and Q. –Then this line intersects the elliptic curve in a third point. –Define R = P + Q (the sum of P and Q ) as the reflection of this point in the x -axis.

5/33 Elliptic Curve Operations [2] n Point Doubling: R = 2 P –First, draw the tangent line to the curve at P. –Then this line intersects the curve in a second point. –Define R = 2 P (the double of P ) as the reflection of this point in the x -axis.

6/33 Elliptic Curve Operations [3] n Scalar Multiplication kP –For a nonnegative integer k and a point P, scalar multiplication kP is defined as 0 P = O,for k = 0, where O is the “point at infinity” which is the additive identity element. kP = ( k -1) P + P for k > 0.

7/33 ECDLP n Elliptic Curve Discrete Log Problem –Given two points P and Q on an elliptic curve, –ECDLP is to find k such that kP = Q

8/33 Scalar Mult. vs. ECDLP Scalar Multiplication k, PQ = kP Efficient ECDLP P, Qk s.t. Q = kP - Computationally infeasible - Hence, security of elliptic curve based cryptosystems is based on this problem.

9/33 The purpose of this paper n is to develop a technique to find harder instances of ECDLP, while keeping the efficiency of a scalar multiplication as the same level.

2. Previous Results: Efficient Scalar Mult. Algos.

11/33 [1] Binary Method n To compute Q = kP, –represent k as a binary form. –scan each bit of k from left to right. –if the bit is 1, do a doubling and an addition. if the bit is 0, do a doubling only. n Example: 61 P = (1, 1, 1, 1, 0, 1) (2) P P DBL 2P 1 ADD P 3P 1 6P 1 DBL ADD P 7P 14P DBL ADD P 15P P DBL 60P ADD P Q = 61 P

12/33 [1] Binary Method n Complexity –log k doublings and – HW ( k )-1 additions, where HW ( k ) is the Hamming weight of k, i.e., the number of 1’s in the binary representation of k.

13/33 [2] Signed Binary Method n [Morain, Olivos 90] n Use the following facts. –For a point P on an elliptic curve, computation of an additive inverse – P is almost free. For example, on y 2 = x 3 + ax + b, – P is the reflection of P in the x -axis. –Hence, a subtraction P - Q has the same complexity as that of an addition P + Q. P = ( x, y ) -P = ( x, - y )

14/33 [2] Signed Binary Method n To compute Q = kP, –convert k to a signed binary representation k’ with smaller number of nonzero digits than k. –if a digit is 1, do a doubling and an addition. if a digit is –1, do a doubling and a subtraction. if a digit is 0, do a doubling only. n Example: 61 P = ( ) P = (1, 0, 0, 0,-1, 0, 1) P P DBL 2P 01 4P 0 8P DBL 16P SUB 15P DBL 30P P DBL ADD Q = 61 P

15/33 [2] Signed Binary Method n Complexity –log k doublings and – SHW ( k )-1 additions/subtractions, where SHW ( k ) is the signed Hamming weight of k, i.e., the number of nonzeros in the signed binary representation of k.

16/33 [3] AMV method n In many elliptic curve based systems, we compute kP for a randomly chosen k. n [Agnew, Mullin, Vanstone 93] –Choose special k ’s that have small HW ( k ) to reduce the number of additions. –Specifically, generate random k ’s of length m in a binary form s.t. HW ( k ) = w for a fixed small w. –One can control the Hamming weight, and thus the number of additions.

17/33 [3] AMV method n Example: m = 8, w = 3 0. Initially, there are 8 empty bits. 1. Choose 3 random positions for ‘1’. 2. Set them as ‘1’ and others as ‘0’. For kP, we need 7 doublings and 2 additions. k = (1, 0, 1, 0, 0, 0, 0, 1)

3. Proposed Method

19/33 Our Method n Use special k ’s –Generate random k ’s that have small SHW ( k ). –Specifically, generate random k ’s of length m in a signed binary form s.t. SHW ( k ) = w for a fixed small w. n More secure than the AMV selection method, i.e., random selection of k ’s with HW ( k )= w. –(Recall that an ECDLP is to find k such that kP = Q.) –The number of possible k ’s in our method is much larger, –while the amount of computation is the same, i.e., m -1 doublings and w -1 additions/subtractions, in both of the methods.

20/33 Naïve Approach n In order to generate a random k of length m s.t. SHW ( k ) = w, –randomly select w locations for nonzero digits out of m possible digits of k, –and then assign ‘1’ or ‘-1’ to each of these digits randomly. n Problem – k ’s are not unique. Hence, the search space for k is much smaller than what we have intended. –Example: m = 6, w = 3 (1,0,0,1,0,-1) = (1,0,0,0,1,1) = 35

21/33 Solution n select k ’s in the nonadjacent form (NAF). –NAF is a signed binary representation with the property that no two consecutive digits are nonzero. –A number’s NAF is unique. 35 (1, 0, 0, 1, 0,-1) (1, 0, 0, 0, 1, 1) possible representations in NAFnot in NAF

22/33 Selection Algorithm n Now, we want to generate a random k of length m in NAF s.t. SHW ( k ) = w to guarantee the uniqueness of k. n To satisfy the NAF property, we use ‘10’ and ‘-10’ as single nonzero units instead of ‘1’ and ‘-1’. n The algorithm has six steps.

23/33 Step 1 n Initially there is an array of m - w +1 consecutive empty slots. Example: m = 8, w = 3 ( m - w +1 = 6)

24/33 Step 2 n Assign two-digit binary number 10 to the first slot to guarantee that k > 0 and that k has exactly m digits. Example: m = 8, w = 3 10

25/33 Step 3 n Choose w - 1 random slots out of the remaining m – w slots and assign 10 or –10 randomly to each of them. Example: m = 8, w = 3 ( w -1 = 2, m - w = 5)

26/33 Step 4 n Assign 0 to each remaining slot. Example: m = 8, w =

27/33 Step 5 n Concatenate all slots to get a number k with m +1 signed binary digits. n Note that, for now, k is always even. Example: m = 8, w = (1, 0, 0,-1, 0, 0, 0, 1, 0) 9 digits

28/33 Step 6 n Set k = k / 2 Example: m = 8, w = 3 k = (1, 0, 0,-1, 0, 0, 0, 1) 8 digits (1, 0, 0,-1, 0, 0, 0, 1, 0) For kP, we need 7 DBLs and 2 ADD/SUBs.

29/33 Distribution of k ’s n k ’s generated by this algorithm are unique. n k ’s generated by this algorithm form a uniform distribution of k ’s that have m digits and satisfy SHW ( k ) = w.

4. Security Analysis

31/33 Security Against BSGS n With k ’s of special forms, the best possible attack algorithm against the ECDLP is the baby-step giant-step algorithm, which is a time-memory trade-off version of the exhaustive search. n Hence, k ’s with larger search space is more secure against this attack. n Now we compare the size of the search space of our method with that of the AMV method.

32/33 Comparison of the Sizes of Search Spaces for k AMVOur Method # digits # nonzeros m w m w sizes of search spaces complexity of a scalar mult. m -1 DBLs w -1 ADDs m -1 DBLs w -1 ADD/SUBs

33/33 Comparison in Typical Settings n The size of the search space of our method is much larger. n Our method is expected to be more secure.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.