1. 橢圓曲線密碼安全
交通大學 資訊工程系
陳榮傑

2. Outline [1] Discrete Logarithm Problem [2] Cryptosystems Based on DLP
[3] Elliptic Curves
[4] Elliptic Curve DLP
[5] Signature Scheme: ECDSA
[6] ID-based Cryptosystems

3. [1] Discrete Logarithm Problem
Let G is a finite cyclic group of size n generated by generator g, i.e.
G = <g> = {g i | i = 1, 2, …, n}
or {g i | i = 0, 1, …, n-1}
Given g and i, it is easy to compute gi by repeated squaring
Discrete logarithm problem
Given , find x such that We denote

4. Example 1 G = Z*19 = { 1, 2, …, 18} n=18, generator g = 2
then log214 = log26 = 14

5. Example 2 G=GF. (23) with irreducible poly. p(x) = x3 + x +1 G=Z
Example 2 G=GF*(23) with irreducible poly. p(x) = x3 + x +1 G=Z*p/p(x) = { 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 } n=7, generator g = x
then logx(x+1) = logx(x2+x+1) = logx(x2+1) = 6

6. Algorithms for Discrete Log
A trivial algorithm
Shanks’ algorithm (Baby-step giant-step)*
Pollard rho discrete log algorithm
Pohlig-Hellman algorithm
The index calculus method

7. A trivial algorithm
Discrete Logarithm Problem in Z*p given generator g and a in Z*p, find x in Zp-1 such that a = gx mod p
A trivial algorithm
Compute gi for all i
Search table for a
Time complexity O(p)

8. Shanks’ algorithm Shanks’ algorithm (1972)
Compute L1 = {(i, gmi), i = 0, 1, …, m-1} L2 = {(i, ag-i), i = 0, 1, …, m-1}
where m = ceiling((p-1) ½) Sort L1 and L2 with respect to the 2nd coordinate.
Find the same 2nd coordinate from L1 and L2, say,
(q, gmq), (r, ag-r), to get gmq =ag-r.
So a = gmq + r and x=mq+r.
Time complexity O(mlogm) = O(p 1/2 logp)
Space complexity O(p 1/2)

9. Example
log215 mod 19 =?
G = Z*19 = { 1, 2, …, 18} g = 2, g-1 = 10, n=p-1 = 18, m = 5, gm = 13
a = 15
L1: (i, gmi) L2: (i, ag-i)
(0, 1) (0, 15) (1, 13) (1, 17) q = (2, 17) (2, 18) r = (3, 12) (3, 9) mq + r = (4, 4) (4, 14)
log215 mod 19 = 11

10. The index calculus method
The index calculus method (Suitable only for G=Zp*)

11. Example
log59451 mod 10007=?
Choose B={2, 3, 5, 7}. Of course log55=1.
Use = 9865 mod lucky exponents 4063, 5136, and 9865
54063 mod = 42 = 2 * 3 * 7
55136 mod = 54 = 2 * 33
59865 mod = 189 = 33 * 7
And we have three congruences:
log52 + log53 + log57 = 4063 mod 10006
log log53 = 5136 mod 10006
3 log53 + log57 = 9865 mod 10006

12. There happens to be a unique solution modulo 10006
log52=6578, log53=6190, and log57=1301
Choose random exponent s = 7736 and try to calculate
ags = 9451*57736 mod = 8400
Since 8400 = 24*3*52*7 factors over B, we obtain
log59451 = (4 log52 + log log55 + log57 – s) mod 10006
= (4* * – 7736) mod 10006
= 6057 mod 10006

13. Complexity of Index Calculus
For factoring and the discrete logarithm problem in finite fields Fq* there are index calculus algorithm
(implemented with Number Field Sieve technique)
These have subexponential complexity
O(exp(c(lnN)1/3(lnlnN)2/3))

14. [2] Cryptosystems based on DL
Key Distribution
Diffie-Hellman, 1976
Encryption
Massey-Omura cryptosystem, 1983
Digital Signature
ElGamal, 1985

15. Diffie-Hellman Key Exchange Algo
Global Public Elements
q : prime number
α: α< q and α is a primitive root of q
User A Key Generation
Select private XA : XA< q
Calculate public YA : YA= αXA mod q
User B Key Generation
Select private XB : XB< q
Calculate public YB : YB= αXB mod q
Generation of Secret Key by User A
K = (YB)XA mod q
Generation of Secret Key by User B
K = (YA)XB mod q

16. Diffie-Hellman Key Exchange
User A
User B
Generate
random XA < q ;
Calculate
YA = αXA mod q
K = (YB)XA mod q
Generate
random XB < q ;
Calculate
YB = αXB mod q
K = (YA)XB mod q YA YB
Diffie-Hellman Key Exchange

17. Massey-Omura for message transmission
Parameters
q : prime number
e : a random private integer
0 < e < q and gcd ( e, q-1) = 1
d : an inverse of e
d = e-1 mod q-1 , i.e., de≡1 mod q-1
M : a message to be encrypted and decrypted
User A wants to send a message M to User B
User A : eA and dA are both private
User B : eB and dB are both private

18. Massey-Omura for message transmission
User A
User B
1.Encryption(1)
C1 = M eA mod q
3.Encryption(3)
C3 = C2dA
= (M eAeB)dA
= M eB mod q
2.Encryption(2)
C2 = C1eB
= M eAeB mod q
4. Decryption
M = C3dB
= M eBdB mod q C1 C2 C3
Massey-Omura for message transmission

19. ElGamal encryption scheme
Parameters
p : a large prime
α: a primitive number in GF(p)
a : a private key, a [1, p-1]
β : a public key , β = αa (mod p)
m : a message to be signed , m [1, p-1]
k : a random integer that is privately selected, k [0, p-2]
K = (p, α, a, β) : public key + private key
Encryption
eK(m, k)=(y1, y2)
where y1 = αk mod p and y2=mβk mod p
Decryption
m = dK(y1, y2) = y2(y1a)-1 mod p

20. ElGamal signature scheme
Parameters
p : a large prime
α: a primitive number in GF(p)
x : a private key, x [1, p-1]
y : a public key , y = αx (mod p)
m : a message to be signed , m [1, p-1]
k : a random integer that is privately selected, k [0, p-2]
Signature
r = αk mod p
m = ks + rx mod φ(p) ,where GCD( k, φ(p) ) = 1
( m , (r,s) ) is sent to the verifier
Verification
αm = rs yr mod p
The signature (r,s) is accepted when the equality holds true.

21. [3] Elliptic Curves Over Fields of Characteristic p>3 Q P P+Q
Curve form
E: Y2 = X3 + aX + b
where a, b  Fq, q = pn
4a3+27b2≠0
Group operation
given P1(x1,y1) and P2(x2,y2)
compute P3(x3,y3) = P1+P2 P Q
P+Q
(xP+Q, yP+Q)
(xP+Q, yP+Q)

22. Example of EC over GF(p)
P+Q P Q

23. Computational Cost I + 3 M Computational Cost I + 4 M Addition (P1P2)
Doubling (P1=P2)
Computational Cost
I + 3 M
Computational Cost
I + 4 M

24. Over Fields of Characteristic 2
Curve form
E: Y2 + XY = X3 + aX2 + b
where a, b  Fq, b≠0, q = 2n
Group operation
given P1(x1,y1) and P2(x2,y2)
compute P3(x3,y3) = P1+P2

25. Example of EC over GF(2m)

26. Addition (P1P2) Doubling (P1=P2) Computational Cost I + 2 M + S

27. [4] Elliptic Curve DLP Basic computation of ECC Q = kP =
where P is a curve point, k is an integer
Strength of ECC
Given curve, the point P, and kP
It is hard to recover k
- Elliptic Curve Discrete Logarithm Problem (ECDLP)

28. Security of ECC versus DSA/RSA
Elliptic curve cryptosystems give the most security per bit of any known public-key scheme.
The ECDLP problem appears to be much more difficult than the integer factorisation problem and the discrete logarithm problem of Zp. (no index calculus algo!)
The strength of elliptic curve cryptosystems grows much faster with the key size increases than does the strength of RSA.

29. Elliptic Curve Security
EC bits
MIPs years
RSA bits
120
1012
1024
320
1036
5120
600
1078
21000
1200
10168
120000
MIPS-years is the number of years it would take a computer that operates at one million instructions per second.

30. ECC Benefits ECC is particularly beneficial for application where:
computational power is limited (ICCs, wireless devices, PC cards)
integrated circuit space is limited (ICCs, wireless devices, PC cards)
high speed is required.
intensive use of signing, verifying or authenticating is required.
signed messages are required to be stored or transmitted (especially for short messages).
bandwidth is limited (wireless communications and some computer networks).

31. [5] Signature Scheme: ECDSA
Digital Signature Algorithm (DSA)
Proposed in 1991
Was adopted as a standard on December 1, 1994
Elliptic Curve DSA (ECDSA)
FIPS in 2000

32. Digital Signature Algorithm
L=0 mod 64, 512≤L≤1024
Let p be a L-bit prime such that the DL problem in Zp* is intractable, and let q be a 160-bit prime that divides p-1. Let α be a qth root of 1 modulo p.
Define K={ (p,q,α,a,β): β=αa mod p }
p,q,α,β are the public key, a is private

33. For a (secret) random number k, define
sig (x,k)=(γ,δ), where
γ=(αk mod p) mod q and
δ=(SHA-1(x)+aγ)k-1 mod q
For a message (x,(γ,δ)), verification is done by performing the following computations:
e1=SHA-1(x)*δ-1 mod q
e2=γ*δ-1 mod q
ver(x,(γ,δ))=true iff. (αe1βe2 mod p) mod q=γ

34. Elliptic Curve DSA
Let p be a prime or a power of two, and let E be an elliptic curve defined over Fp. Let A be a point on E having prime order q, such that DL problem in <A> is infeasible.
Define K={ (p,q,E,A,m,B): B=mA }
p,q,E,A,B are the public key, m is private

35. For a (secret) random number k, define sigk(x,k)=(r,s),
where kA=(u,v), r=u mod q and
s=k-1(SHA-1(x)+mr) mod q
For a message (x,(r,s)), verification is done by performing the following computations:
i=SHA-1(x)*s-1 mod q
j=r*s-1 mod q
(u,v)=iA+jB
ver(x,(r,s))=true if and only if u mod q=r

36. [6] ID-based Cryptosystem
Setup
generate params
and master key
IDBob is arbitrary and meaningful
ex: or
Private Key Generator
(PKG)
Extract
generate KRIDBob
by IDBob and master key
Authentication
(IDBob)
KRIDBob
Alice
Bob
(params, IDBob)
KRIDBob
Encrypt
Decrypt or or
Verify
Sign

37. Certificate-based Cryptosystem
Certificate Authority
(CA)
KUBob is random
Authentication
(KUBob)
Certificate(Bob, KUBob)
Certificate(Bob, KUBob)
Alice
Bob
KUBob
KRBob
Encrypt
Decrypt or or
Verify
Sign

38. ID-based Encryption Scheme
Proposed by Boneh and Franklin (Crypto 2001)
First complete and efficient scheme
Bilinear Pairing
G1: additive group generated by P, ord(P)=q
G2: multiplicative group with same order q
Assume that DLP in G1 and G2 are hard
Let e: G1xG1  G2 satisfies:
1. Bilinear: e(P1+P2,Q)=e(P1,Q)e(P2,Q)
e(P,Q1+Q2)=e(P,Q1)e(P,Q2)
2. Non-degenerate:  P,Q G1, s.t e(P,Q)1
3. Computability
Bilinear Diffie-Hellman (BDH) Assumption
Given P, aP, bP, cP G1 , compute e(P, P)abc is HARD!

39. ID-based Encryption Scheme
System:
k-bit prime p
p=2 mod 3, p=6q-1
E: y2=x3+1 over Fp
ID-based Encryption
Setup:
(1) Choose P  E/Fp of order q
(2) Pick a random s Zq* and set
Ppub= sP
(3) Two hash functions:
H1: {0,1}*  G*1 (MapToPoint)
H2: G2  {0,1}n for some n
Extract:
Given a ID {0,1}*, build private key SID as follows:
QID = H1(ID)
Set dID=sQID , where s is the master key
Params:
<p, q, P, Ppub, H1, H2>
Master-key: s

40. ID-based Encryption Scheme
Use MapToPoint to map ID to QID
choose a random r Zq*
C = < rP, M  H2(e(QID, Ppub)r) >
Decrypt:
Let C=< U, V > , if U is not a point of order q then reject
M = V  H2(e(dID, U))
dID=sQID
Ppub=sP
e(dID, U)= e(sQID, rP)= e(QID, P)sr= e(QID, sP)r= e(QID, Ppub)r

41. Weil Pairing (Def) Weil pairing where is called the m-torsion group,
Um is the group of the mth roots of unity
Given P, QE [m],  DP, DQDiv 0 such that
DP ~ (P) – (O) and DQ ~ (Q) – (O). Also, fP , fQ such that div (fP) = m DP and div (fQ) = m DQ.
Suppose supp (DP)  supp (DQ) = 
Then

42. Security in GSM Network
Authentication
Provided by pre-shared secret key Ki
Challenge-response protocol
Encryption/Decryption
Provided by session key Kc derived during authentication phase
Apply on wireless link (not end-to-end security)

43. End-to-end security for SMS (short message service)
RSA Mechanism

44. End-to-end security for SMS
ID-based Mechanism