Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Elliptic Curve Cryptography

Similar presentations


Presentation on theme: "Introduction to Elliptic Curve Cryptography"— Presentation transcript:

1 Introduction to Elliptic Curve Cryptography
CSIS 5857: Encoding and Encryption

2 RSA vs. Elliptic Curve RSA requires very large key size
Recommended minimum: 1024 bits (as opposed to for AES) Speed of RSA proportional to key size Fast modular exponentiation Possible alternative: Elliptic Curve Cryptography Not directly related to ellipses (special case) 160 bit ECC key equivalent to 1024 bit RSA key Based on faster operations

3 Elliptic Curve Mathematics
General mathematical form (Weierstraus equation): y2 = x3 + ax + b For some a, b (curve parameters)

4 Elliptic Curve Encryption
Encryption: Transforming points on curve (P, KPU) into other point on same curve (C) Main idea (Abelian group): Need a definition of “+” so that “sum” of two points on a curve is also on the same curve R = P + Q where P = (xP, yP) Q = (xQ, yQ) R = (xR, yR)

5 Elliptic Curve Addition Cases
Case 1: R based on line formed by P, Q (xP ≠ xQ, yP ≠ yQ) Equations:  = (yQ – yP) / (xQ – xP) xR = 2 – xP – xQ yR = (xP – xR) – yP

6 Elliptic Curve Addition Cases
Case 2: P = Q, R based on tangent to curve (xP = xQ, yP = yQ) Equations: xR = ((3xP2 + a) / 2yP)2 - 2xP yR = ((3xP2 + a) / 2yP)2(xP – xR) – yP

7 Elliptic Curve Addition Cases
Case 3: P = -Q, line does not intercept curve (xP = xQ, yP ≠ yQ) R = “0” (additive identity) Point at infinity 0 = -0

8 Elliptic Curves over Zp
Encryption requires modular arithmetic Must be difficult to recover original points from R. Modular arithmetic prevents “working backward”, as in RSA Define “curve” as Ep(a, b) where p is the modulus, a, b are the coefficients of y2 = x3 + ax + b Looking for (x, y) such that y2 = (x3 + ax + b) mod p Note: “points” on curve are integers

9 Finding Points on a Zp Curve
Example: Points on elliptic curve y2 = x3 + x + 1 over GF(13): Must find integer values for x, y < 13 such that (y2) mod 13 = (x3 + x + 1) mod 13 x = 0: y2 mod 13 = 1 mod y = 1 y = 1, (-1 mod 13 = 12) x = 1: y2 mod 13 = 3 mod 13 y =  (16 mod 13 = 3) y = 4, 9

10 Finding Points on a Zp Curve
Note: Not all values of x have a corresponding y x = 2: y2 mod 13 = 11 mod No solution for y (Can test all y < 13) x = 3: y2 mod 13 = 31 mod 13 = No solution for y (Can test all y < 13) x = 4: y2 mod 13 = 69 mod 13 = 4 y = 2 y = 2, 11

11 Finding Points on a Zp Curve
Points on elliptic curve y2 = x3 + x + 1 over GF(13):

12 Elliptic Curve Mathematics
Computing (xR, yR) = (xP, yP) + (xQ, yQ) Necessary to turn 2 points corresponding to key, plaintext into point corresponding to ciphertext Main ideas: Addition/subtraction/multiplication in mod p Division = multiplication by inverse mod p

13 Example: (4, 2) + (10, 6) on E13(1, 1) step 1: compute  = (yQ – yP) / (xQ – xP)  = (6 – 2) x (10 – 4)-1 mod 13 = 4 x 6-1 mod mod 13 = 11 = 4 x 11 mod 13 = 5 step 2: compute xR =  2 – xP – xQ xR = 25 – 4 – 10 mod 13 = 11 step 3: compute yR = (xP – xR) – yP yR = 5 x (4 – 11) – 2 mod 13 = 2 (4, 2) + (10, 6) = (11, 2) note: also on curve!

14 Multiplication on an Elliptic Curve
Multiplication = addition multiple times Necessary for some forms of elliptic curve cryptography Must use formula where P = Q for first addition Example: 3 x (1, 4) on E13(1, 1) 3 x (1, 4) = ((1, 4) + (1, 4)) + (1, 4) = (8, 1) + (1, 4) = (1, 9)

15 Elliptic Curve Encryption
Generally based on using elliptic curves in place of exponentiation in existing public key algorithm Examples: Elliptic Diffie-Hellman Elliptic ElGamal

16 Elliptic Curve Diffie-Hellman
Alice and Bob agree on global parameters: Ep(a, b): Elliptic curve mod P (prime) with parameters a and b G : “Generator” point on that elliptic curve Example: P = Ep(0, -4) the curve y2 = x G = (2, 2)

17 Elliptic Curve Diffie-Hellman
Alice and Bob select private nA and nB They each generate a public PA and PB as PA = nA x G and PB = nB x G They exchange these values Example: nA = PA = 121 x (2, 2) = (115, 48) nB = PB = 203 x (2, 2) = (130, 203) (115, 48) (130, 203)

18 Elliptic Curve Diffie-Hellman
Alice and Bob generate the same key k k = PB x nA = PA x nB Proof: PB x nA = G x nB x nA PA x nB = G x nA x nB Example: 121 x (130, 203) = 203 x (115, 48) = (161, 69)

19 Elliptic Curve ElGamal
Generating public and private keys: Bob chooses an Ep(a, b) for an elliptic curve in Zp Bob chooses a point (x1, y1) on that curve Bob chooses a secret integer multiplier d < p Bob computes a second point (x2, y2) on the curve as (x2, y2) = d  (x1, y1) public key: the values p, a, and b that define the curve the two points (x1, y1) and (x2, y2) private key: the multiplier d

20 Elliptic Curve ElGamal
Encryption: Alice selects a point P on Ep(a, b) that corresponds to the plaintext message she wishes to send Alice selects a random multiplier r Alice creates the ciphertext as two points on the curve: C1 = r  (x1, y1) C2 = P + r  (x2, y2)

21 Elliptic Curve Encryption
Decryption: Bob computes the plaintext as: P = C2 – (d  C1)) Why does this work? P = C2 – (d  C1)) = (P + r  (x2, y2) ) – (d  r  (x1, y1) )) = (P + d  r  (x1, y1) ) – (d  r  (x1, y1) )) = P

22 Elliptic Curve ElGamal

23 Security and Speed Why is this secure? Why is this fast?
Same type of inverse modular problem (elliptic curve logarithm problem) No simple way to determine d from (x1, y1) and (x2, y2) without trying all possible values Computationally secure as long as p large enough to prevent this (2160 for example) Why is this fast? Only uses addition and multiplication – no exponents!

24 Elliptic Curves over GF(2n)
Represent points as polynomials {0, 1, g, g2, g3…} mod some irreducible polynomial in GF(2n) Sort of like GF in AES Added security Slightly different equation used: y2 + xy = x3 + ax2 + b Example: GF(23) using x3 + x + 1 as mod 1 g g2 g3 = g+1 g4 = g2+g g5 = g2+g+1 g5 = g2+1 000 001 010 100 011 110 111 101

25 Elliptic Curves over GF(2n)
Points on elliptic curve y2 + xy = x3 + ax2 + b for a = g3 and b = 1


Download ppt "Introduction to Elliptic Curve Cryptography"

Similar presentations


Ads by Google