《椭圆曲线密码技术.ppt》由会员分享,可在线阅读,更多相关《椭圆曲线密码技术.ppt(55页珍藏版)》请在三一文库上搜索。
1、橢圓曲線密碼技術,交通大學 資訊工程系 陳榮傑 http:/www.cs.nctu.edu.tw/rjchen/ECC2012S/,Outline,1 Discrete Logarithm Problem 2 Algorithms for Discrete Logarithm 3 Cryptosystems Based on DLP 4 Elliptic Curves 5 Elliptic Curve DLP 6 Signature Scheme: ECDSA 7 How to find secure ECs? 8 Hyperelliptic Curves 9 ID-based Cryptos
2、ystems 10 Pairing-based Cryptography,Let G is a finite cyclic group of size n generated by generator g, i.e. G = = g i | i = 1, 2, , n or g i | i = 0, 1, , n-1 Given g and i, it is easy to compute gi by repeated squaring Discrete logarithm problem Given , find x such that We denote,1 Discrete Logari
3、thm Problem,Example 1 G = Z19*= 1, 2, , 18 n=18, generator g = 2 then log214 = 7 log26 = 14,Example 2 G=GF*(23) with irreducible poly. p(x)=x3+x+1 G=Zn*/p(x)= 1, x, x2, 1+x, 1+x2, x+x2, 1+x+x2 n=7, generator g = x then logx(x+1) = 3 logx(x2+x+1) = 5 logx(x2+1) = 6,Example 3 Let p =105354628039501697
4、5304616582933958731948871814925913489342608734258717883575185867300386287737705577937382925873762451990450430661350859682697410256268271147283034897563214300237166369174066615907176472549470083113107138189921280884003892629359 NB: p = 158(2800 + 25) + 1 and has 807 bits. Find x in Z, such that 2x =
5、3 mod p,2 Algorithms for Discrete Logarithm,trivial algorithm Shanks algorithm (Baby-step giant-step) Pollard rho discrete log algorithm Pohlig-Hellman algorithm The index calculus method*,The index calculus method,The index calculus method (Suitable only for G=Zp*),Example log59451 mod 10007=? Choo
6、se B=2, 3, 5, 7. Of course log55=1. Use lucky exponents 4063, 5136, and 9865 54063 mod 10007 = 42 = 2 * 3 * 7 55136 mod 10007 = 54 = 2 * 33 59865 mod 10007 = 189 = 33 * 7 And we have three congruences: log52 + log53 + log57 = 4063 mod 10006 log52 + 3 log53 = 5136 mod 10006 3 log53 + log57 = 9865 mod
7、 10006,There happens to be a unique solution modulo 10006 log52=6578, log53=6190, and log57=1301 Choose random exponent s = 7736 and try to calculate ags = 9451*57736 mod 10007 = 8400 Since 8400 = 24*3*52*7 factors over B, we obtain log59451 = (4 log52 + log53 + 2 log55 + log57 s) mod 10006 = (4*657
8、8 + 6190 + 2*1 +1301 7736) mod 10006 = 6057 mod 10006,Complexity of Index Calculus,For factoring and the discrete logarithm problem in finite fields Fq* there are index calculus algorithm (implemented with Number Field Sieve technique) These have subexponential complexity O(exp(c(lnN)1/3(lnlnN)2/3),
9、3 Cryptosystems based on DL,Key Distribution Diffie-Hellman, 1976 Encryption Massey-Omura cryptosystem, 1983 Digital Signature ElGamal, 1985,Diffie-Hellman Key Exchange Algo,Global Public Elements q : prime number : q and is a primitive root of q User A Key Generation Select private XA : XA q Calcul
10、ate public YA : YA= XA mod q User B Key Generation Select private XB : XB q Calculate public YB : YB= XB mod q Generation of Secret Key by User A K = (YB)XA mod q Generation of Secret Key by User B K = (YA)XB mod q,User A,User B,Generate random XA q ; Calculate YA = XA mod q Calculate K = (YB)XA mod
11、 q,Generate random XB q ; Calculate YB = XB mod q Calculate K = (YA)XB mod q,YA,YB,Diffie-Hellman Key Exchange,Massey-Omura for message transmission,Parameters q : prime number e : a random private integer 0 e q and gcd ( e, q-1) = 1 d : an inverse of e d = e-1 mod q-1 , i.e., de1 mod q-1 M : a mess
12、age to be encrypted and decrypted User A wants to send a message M to User B User A : eA and dA are both private User B : eB and dB are both private,User A,User B,1.Encryption(1) C1 = M eA mod q 3.Encryption(3) C3 = C2dA = (M eAeB)dA = M eB mod q,2.Encryption(2) C2 = C1eB = M eAeB mod q 4. Decryptio
13、n M = C3dB = M eBdB mod q,Massey-Omura for message transmission,C1,C2,C3,ElGamal signature scheme,1985 ElGamal Parameters p : a large prime : a primitive number in GF(p) x : a private key, x 1, p-1 y : a public key , y = x (mod p) m : a message to be signed , m 1, p-1 k : a random integer that is pr
14、ivately selected, k 0, p-2 Signature r = k mod p m = ks + rx mod (p) ,where GCD( k, (p) ) = 1 ( m , (r,s) ) is sent to the verifier Verification m = rs yr mod p The signature (r,s) is accepted when the equality holds true.,ElGamal encryption scheme,Parameters p : a large prime : a primitive number i
15、n GF(p) a : a private key, a 1, p-1 : a public key , = a (mod p) m : a message to be signed , m 1, p-1 k : a random integer that is privately selected, k 0, p-2 K = (p, , a, ) : public key + private key Encryption eK(m, k)=(y1, y2) where y1 = k mod p and y2=mk mod p Decryption m = dK(y1, y2) = y2(y1
16、a)-1 mod p,(xP+Q, yP+Q),(xP+Q, yP+Q),4 Elliptic Curves,Over Fields of Characteristic p3 Curve form E: Y2 = X3 + aX + b where a, b Fq, q = pn 4a3+27b20 Group operation given P1(x1,y1) and P2(x2,y2) compute P3(x3,y3) = P1+P2,Example:,P,-P,Q,P+Q,Example of EC over GF(p),Addition (P1P2) Doubling (P1=P2)
17、,Computational Cost I + 3 M,Computational Cost I + 4 M,Over Fields of Characteristic 2 Curve form E: Y2 + XY = X3 + aX2 + b where a, b Fq, b0, q = 2n Group operation given P1(x1,y1) and P2(x2,y2) compute P3(x3,y3) = P1+P2,Example of EC over GF(2m),Addition (P1P2) Doubling (P1=P2),Computational Cost
18、I + 2 M + S,Computational Cost I + 2 M + S,5 Elliptic Curve DLP,Basic computation of ECC Q = kP = where P is a curve point, k is an integer Strength of ECC Given curve, the point P, and kP It is hard to recover k - Elliptic Curve Discrete Logarithm Problem (ECDLP),Security of ECC versus RSA/ElGamal
19、Elliptic curve cryptosystems give the most security per bit of any known public-key scheme. The ECDLP problem appears to be much more difficult than the integer factorisation problem and the discrete logarithm problem of Zp. (no index calculus algo!) The strength of elliptic curve cryptosystems grow
20、s much faster with the key size increases than does the strength of RSA.,Elliptic Curve Security,NIST Recommended Key Sizes,ECC Benefits ECC is particularly beneficial for application where: computational power is limited (wireless devices, PC cards) integrated circuit space is limited (wireless dev
21、ices, PC cards) high speed is required. intensive use of signing, verifying or authenticating is required. signed messages are required to be stored or transmitted (especially for short messages). bandwidth is limited (wireless communications and some computer networks).,6 Signature Scheme: ECDSA,Di
22、gital Signature Algorithm (DSA) Proposed in 1991 Was adopted as a standard on December 1, 1994 Elliptic Curve DSA (ECDSA) FIPS 186-2 in 2000,Digital Signature Algorithm (DSA),Let p be a L-bit prime such that the DL problem in Zp* is intractable, and let q be a 160-bit prime that divides p-1. Let be
23、a qth root of 1 modulo p. Define K= (p,q,a,): =a mod p p,q, are the public key, a is private,L=0 mod 64, 512L1024,For a (secret) random number k, define sig (x,k)=(,), where =(k mod p) mod q and =(SHA-1(x)+a)k-1 mod q For a message (x,(,), verification is done by performing the following computation
24、s: e1=SHA-1(x)*-1 mod q e2=*-1 mod q ver(x,(,)=true iff. (e1e2 mod p) mod q=,Elliptic Curve DSA,Let p be a prime, and let E be an elliptic curve defined over Fp. Let A be a point on E having prime order q, such that DL problem in is infeasible. Define K= (p,q,E,A,m,B): B=mA p,q,E,A,B are the public
25、key, m is private,For a (secret) random number k, define sigk(x,k)=(r,s), where kA=(u,v), r=u mod q and s=k-1(SHA-1(x)+mr) mod q For a message (x,(r,s), verification is done by performing the following computations: i=SHA-1(x)*s-1 mod q j=r*s-1 mod q (u,v)=iA+jB ver(x,(r,s)=true if and only if u mod
26、 q=r,7 How to find secure elliptic curves ?,(1) Randomly choose a, b, p and calculate #Elliptic curve (y2=x3+ax+b) until #E = a prime q, where #E is calculate by using Schoof-Elkies-Atkin algorithm (2) (Complex multiplication method) Given a big prime q, find p, a, b such that #Elliptic curve (y2=x3
27、+ax+b) = q,8 Hyperelliptic Curves,1. Definition of HC 2. Example of HC (rational points of HC do not form a group) 3. Divisor 4. Jacobian (Jacobian is a group) 5. HCDLP,Definitions of hyperelliptic curves,A hyperelliptic curve C of genus g over a finite field K (g1) C : y2 + h(x)y = f(x) where h(x)
28、Kx is a polynomial of degree at most g, f(x) Kx is a monic polynomial of degree 2g+1. Elliptic curves are hyperelliptic curves of genus 1.,Group law in an elliptic curve,y2=x3-x over R,?,-R,P+Q=,Example: Hyperelliptic curve,A genus 2 hyperelliptic curve over R: C: y2 = x5 -5x3+ 4x = x(x+1)(x-1)(x+2)
29、(x-2) The rational points on C do not form a group.,Divisors,Definition : (divisor, degree) A divisor D is a formal sum of points in C: The degree of D, The set of all divisors, denoted D, forms an additive group under the addition rule: D0(K) is the subgroup of all divisors defined over K and of de
30、gree 0.,D1=2P1+P2-3 D2= P1+P3,deg(D1) =2+1-3=0 deg(D2) =1+1=2,D1+D2 =3P1+P2+P3-3,Principal divisor,Definition : (principal divisors) Let R K(C) be a rational function. The divisor of R is called a principal divisor : In fact, degree of a principal divisor is 0. The set of all principal divisors, den
31、oted P(K), is a subgroup of D0(K).,C: y2 = x5 -5x3+ 4x x-1,Q1=(1, 0) on C div(x-1) = 2Q1-2,Jacobian,Definition: (Jacobian) The quotient group JC(K) = D0/P is called the Jacobian of the curve C. If D1, D2 D0 and D1-D2 P, then D1 and D2 are said to be equivalent divisors; we write D1D2.,Group law in H
32、C,A genus 2 hyperelliptic curve over R: C: y2 = x5 -5x3+ 4x y=a3x3+a2x2+a1x+a0,P1,P2,P4,?,P3,HCDLP,HCDLP: (hyperelliptic curve discrete logarithm problem) Let a divisor D1 in JC(Fq) with known order N, and D2 in To find an integer s.t. D2 = D1 is hard.,9 ID-based Cryptosystem,Private Key Generator (
33、PKG),Bob,Alice,Authentication (IDBob),KRIDBob,(params, IDBob),KRIDBob,IDBob is arbitrary and meaningful ex: B or 0912345678,Setup generate params and master key,Extract generate KRIDBob by IDBob and master key,Encrypt,Verify,or,Decrypt,Sign,or,Certificate-based Cryptosystem,Certificate Authority (CA
34、),Bob,Alice,Authentication (KUBob),Certificate(Bob, KUBob),Certificate(Bob, KUBob),Encrypt,KUBob,Decrypt,KRBob,KUBob is random,Verify,Sign,or,or,ID-based Encryption Scheme,Proposed by Boneh and Franklin (Crypto 2001) First complete and efficient scheme Bilinear Pairing G1: additive group generated b
35、y P, ord(P)=q G2: multiplicative group with same order q Assume that DLP in G1 and G2 are hard Let e: G1xG1 G2 satisfies: 1. Bilinear: e(P1+P2,Q)=e(P1,Q)e(P2,Q) e(P,Q1+Q2)=e(P,Q1)e(P,Q2) 2. Non-degenerate: P,Q G1, s.t e(P,Q)1 3. Computability Bilinear Diffie-Hellman (BDH) Assumption Given P, aP, bP,
36、 cP G1 , compute e(P, P)abc is HARD!,ID-based Encryption Scheme,ID-based Encryption Setup: (1) Choose P E/Fp of order q (2) Pick a random s Zq* and set Ppub= sP (3) Two hash functions: H1: 0,1* G*1 (MapToPoint) H2: G2 0,1n for some n Extract: Given a ID 0,1*, build private key SID as follows: QID =
37、H1(ID) Set dID=sQID , where s is the master key,System: k-bit prime p p=2 mod 3, p=6q-1 E: y2=x3+1 over Fp,Params: Master-key: s,Encrypt: Use MapToPoint to map ID to QID choose a random r Zq* C = Decrypt: Let C= , if U is not a point of order q then reject M = V H2(e(dID, U),e(dID, U)= e(sQID, rP)=
38、e(QID, P)sr= e(QID, sP)r= e(QID, Ppub)r,dID=sQID,Ppub=sP,ID-based Encryption Scheme,(Def) Weil pairing where is called the m-torsion group, Um is the group of the mth roots of unity Given P, QE m, DP, DQDiv 0 such that DP (P) (O) and DQ (Q) (O). Also, fP , fQ such that div (fP) = m DP and div (fQ) =
39、 m DQ. Suppose supp (DP) supp (DQ) = Then,Weil Pairing,End-to-end security for SMS (short message service),RSA Mechanism,ID-based Mechanism,End-to-end security for SMS,10 Pairing-based Cryptography,1. Implementation of Pairings Bilinear paring e: G1 x G2 GT G1, G2 : prime-order subgroups of an ellip
40、tic curve E over GF(qk) GT : prime-order subgroup of GF(qk)* k is the embedding degree of E (w.r.t. r=#E(GF(q) k is the smallest positive integer s.t. r | qk - 1,Various pairings: Weil pairing Tate pairing Eta pairing Ate pairing Generalized Ate pairing,2. Use of parings in cryptography Attack on EC
41、DLP (MOV attack) One-round 3-way key exchange (Joux) IDE (Boneh-Franklin) Short digital signature (Boneh-Lynn-Shacham) Other applications: Group signatures, Bach signatures, aggregate signatures, threshold cryptography, authenticated encryption, broadcast encryption, etc.,3. Constructing pairing-friendly curves Want k large enough so that DLP in GF(qk)* is computational infeasible, but small enough so that pairing is easy to compute. Cock-Pinch strategy MNT strategy Dupon-Enge-Morain strategy * Brezing-Weng strategy Scott-Barreto strategy,