BCT 2314: CRYPTOGRAPHY AND
COMPUTER SECURITY
Course Outline
1.
Traditional and Modern cryptography
and ciphers
2.
Security in computing
Legal, Ethical and Human factors in
computer security
Encryption
Decryption
Public key cryptography
3.
Security in computing environments
Encryption
Protocols
Security programs
4.
Operating systems, networks and
communication
平成33年10月13日
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet
Ratemo
1. Introduction
Course Outline
2. Security in computing
Block Ciphers and Data Encryption
Standards
Block Cipher Standards
The Data Encryption Standards
The DES Strength
3DES
Differential and Linear Cryptanalysis
Block Cipher Design Principles
Advanced Encryption Standard
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
Block Cipher Modes of operation
Electronic Code Block (ECB), Cipher Block Chaining (CBC),
Cipher Feedback (CFB), Output Feedback (OFB), Counter
(CTR)
3. Public Key Cryptography
Elliptic Curve Arithmetic, Elliptic Curve
Cryptography
4. Message Authentication and Hash Functions
Message Authentication Codes ( Covered)
Hash Functions, Security of Hash Functions
Secure Hash Algorithms i.e. SHA
5. System and Network Security
Intruders, Malicious Software
Port Scanning, Spoofs, Spam, DoS, Firewalls
6. Legal, Ethical and Human factors in computer
security
平成33年10月13日
Elliptic Curve Cryptography
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Lecture Outline
Public Key Cryptography
•
•
•
•
Elliptic Curve Arithmetic
Elliptic Curve Cryptography
Elliptic Curves over Real Numbers
Elliptic Curves over 𝐺𝐹 𝑝 = ℤ𝑝
• Elliptic Curve Cryptography Simulating ElGamal
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
ELLIPTIC CURVE CRYPTOSYSTEMS
• Proposed by Neal Koblitz and Victor Miller in 1985
• ECC was standardized by a number of organizations and it
started receiving commercial acceptance in the late 1990`s.
• Mainly used in the resource constrained environments, such
as ad-hoc wireless networks and mobile networks.
• As computational power evolves, the key size of the
conventional
dramatically.
systems
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
is
required
to
be
increased
平成33年10月13日
ELLIPTIC CURVE CRYPTOSYSTEMS
• Elliptic curves have been studied by mathematicians for over a hundred
years and have been deployed in diverse areas
Number theory: proving Fermat`s Last Theorem in 1995
• The equation 𝑥 𝑛 + 𝑦 𝑛 = 𝑛𝑛 has no nonzero integer solutions for 𝑥, 𝑦, 𝑧
when the integer 𝑛 is greater than 2.
Modern physics: String theory
• The notion of a point-like particle is replaced by a curve-like string.
Elliptic Curve Cryptography
• An efficient public key cryptographic system.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
ELLIPTIC CURVE CRYPTOSYSTEMS
• Researchers have looked for alternatives that give the
same level of security with smaller key sizes. One of
these promising alternatives is the elliptic curve
cryptosystem (ECC).
• However, the confidence level in ECC is not yet as high as
that in RSA.
• ECC is fundamentally more difficult to explain than
either RSA or Diffie-Hellman
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
ELLIPTIC CURVE CRYPTOSYSTEMS
• ECC is an approach to public key cryptography based on the algebraic
structure of elliptic curves over finite fields.
• Its security is based on the possibility of efficient additive exponentiation
and absence of efficient (classical) algorithms for additive logarithm.
• Two families commonly used:
• Prime curves 𝐸𝑝 (𝑎, 𝑏) defined over ℤ𝑝
• Use integers modulo a prime
• Best in software
• Binary curves 𝐸2𝑚 (𝑎, 𝑏) defined over 𝐺𝐹(2𝑛 )
• Use polynomials with binary coefficients
• Best in hardware
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Number Theory Review
Abelian Group
An abelian group 𝐺, also denoted as (𝐺,∙), is a set of elements with
a binary operation denoted ∙, that associates to each ordered pair
a ∙ 𝑏 in 𝐺 such that the following axioms are obeyed;
1. Closure: If 𝑎 and 𝑏 belong to 𝐺, then a ∙ 𝑏 is also in 𝐺
2. Associative: 𝑎 ∙ 𝑏 ∙ 𝑐 = 𝑎 ∙ 𝑏 ∙ 𝑐 ∀𝑎, 𝑏, 𝑐 ∈ 𝐺
3. Identity element: There is an element 𝑒 ∈ 𝐺 such that 𝑎 ∙ 𝑒 = 𝑒 ∙
𝑎 ∀𝑎 ∈ 𝐺
4. Inverse element: For each 𝑎 ∈ 𝐺, ∃𝑎′ ∈ 𝐺 such that 𝑎 ∙ 𝑎′ = 𝑎′ ∙
𝑎=e
5. Commutative: 𝑎 ∙ b = b ∙ 𝑎 ∀𝑎, 𝑏 ∈ 𝐺
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Number Theory Review
Abelian Group in ECC
• Given two points 𝑃, 𝑄 ∈ 𝑖𝑛 𝐸(𝔽𝑝 ) there is a third point, denoted by 𝑃 + 𝑄
on 𝐸(𝔽𝑝 ), and the following relations hold for all 𝑃, 𝑄, 𝑅 ∈ 𝑖𝑛 𝐸(𝔽𝑝 )
1.
2.
3.
4.
P + Q = Q + P : Commutativity
(P + Q) + R = P + Q + R : Associativity
P + O = O + P = P : Existence of an identity element
There exists ( − 𝑃) such that − 𝑃 + 𝑃 = 𝑃 + ( − 𝑃) = 𝑂 : Existence of
inverses
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Number Theory Review
• A number of public-key ciphers are based on the use of an abelian group.
Example: Diffie-Hellman key exchange involves multiplying pairs of nonzero
integers
• Keys are generated by exponentiation over the group, with exponentiation
defined as repeated multiplication.
• Example, 𝑎𝑘 𝑚𝑜𝑑 𝑞 = 𝑎 × 𝑎 × ⋯ × 𝑎 𝑚𝑜𝑑 𝑞
k times
• To attack Diffie-Hellman, the attacker must determine 𝑘 given 𝑎 and 𝑎𝑘 ; this
is the discrete logarithm problem.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Number Theory Review
• Elliptic curves are not ellipses. They are so named because they are described by
cubic equations, similar to those used for calculating the circumference of an
ellipse.
• In general, cubic equations for elliptic curves take the following form, known as a
Weierstrass equation: 𝑦 2 + 𝑎𝑥𝑦 = 𝑥 3 + 𝑐𝑥 2 + 𝑑𝑥 + 𝑒 where 𝑎, 𝑏, 𝑐, 𝑑, 𝑒 are real
numbers and take on values in the real numbers.
• It is sufficient to limit ourselves to equations of the form
𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏
• Such equations are said to be cubic, or of degree 3, because the highest exponent
they contain is a 3.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Number Theory Review
• Elliptic curves are not ellipses
• An elliptic curve is defined by an equation in two variables x & y,
with coefficients
• Consider a cubic elliptic curve of form
y2 = x3 + ax + b
where x, y, a, b are all real numbers
also define O (point at infinity)
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Number Theory Review
• Also included in the definition of an elliptic curve is a single
element denoted 𝜊 and called the point at infinity or the zero
point.
• To plot such a curve, we need to compute
𝑦=
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
𝑥 3 + 𝑎𝑥 + 𝑏
平成33年10月13日
Number Theory Review
• Example
Given x, there will
be two solutions for y
Multiple roots of
𝑥3 + 𝑥 + 1 = 0
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curve Picture
• Consider elliptic curve
𝐸: 𝑦2 = 𝑥3 − 𝑥 + 1
y
• If 𝑃1 and 𝑃2 are on 𝐸, we can define
𝑃3 = 𝑃1 + 𝑃2
Addition is all we need
𝑃1
𝑃2
x
𝑃3
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Number Theory Review
• For given values of 𝑎 and 𝑏, the plot consists of positive and
negative values of 𝑦 for each value of 𝑥.
• Thus, each curve is symmetric about 𝑦 = 0.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Number Theory Review
• Now, consider the set of points 𝐸(𝑎, 𝑏) consisting of all of the
points (x, 𝑦) that satisfy equation 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏 together with
the element 0 .
• Using a different value of the pair (𝑎, 𝑏) results in a different set
𝐸(𝑎, 𝑏) .
• Using this terminology, the two curves below depict the sets
𝐸(−1,0) and 𝐸(1,1) , respectively.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Number Theory Review
Examples of Elliptic Curves
𝑦2 = 𝑥3 − 𝑥
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
𝑦2 = 𝑥3 + 𝑥 + 1
平成33年10月13日
GEOMETRIC DESCRIPTION OF ADDITION
• A group can be defined based on the set 𝐸(𝑎, 𝑏) for specific
values of 𝑎 and 𝑏 in equation 𝑦 2 = 𝑥 3 + 𝑏𝑥 + 𝑏, provided the
following condition is met:
4𝑎3 + 27𝑏 2 ≠ 0
• To define the group, we define an operation, called addition and
denoted by +, for the set 𝐸(𝑎, 𝑏), where 𝑎 and 𝑏 satisfy Equation
4𝑎3 + 27𝑏 2 ≠ 0.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
GEOMETRIC DESCRIPTION OF ADDITION
If three points on an elliptic curve lie on a straight line, their sum is 0.
From this definition, we can define the rules of addition over an elliptic
curve as follows .
1. 0 serves as the additive identity. Thus 0 = −0; for any point on the
elliptic curve, P + 0 = 𝑃 . Henceforth, we assume 𝑃 ≠ 0 and 𝑄 ≠ 0
If P is the point at infinity O, then –P=O and P+Q = Q. [i.e. O
servers as the identity (zero)]
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
GEOMETRIC DESCRIPTION OF ADDITION
In geometric terms, the rules for addition can be stated as follows:
2. The negative of a point 𝑃 is the point with the same 𝑥 coordinate but
the negative of the 𝑦 coordinate; that is, if 𝑃 = (𝑥, 𝑦) , then −𝑃 =
(𝑥, −𝑦).Note that these two points can be joined by a vertical line.
Note that 𝑃 + −𝑃 = 𝑃 − 𝑃 = 0
𝑃 = (𝑥, 𝑦) then −𝑃 = (𝑥, −𝑦).[−𝑃 must lie on elliptic curve]
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
GEOMETRIC DESCRIPTION OF ADDITION
O
P
Q
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
GEOMETRIC DESCRIPTION OF ADDITION
3. To add two points 𝑃 and 𝑄 with different 𝑥 coordinates, draw a
straight line between them and find the third point of
intersection 𝑅 .
• There is a unique 𝑅 point that is the point of intersection
(unless the line is tangent to the curve at either 𝑃 or 𝑄, in
which case we take R = 𝑃 or R = Q , respectively).
• To form a group structure, we need to define addition on these
three points: 𝑃 + 𝑄 = −𝑅. That is, we define 𝑃 + 𝑄 to be the
mirror image (with respect to the 𝑥 axis) of the third point of
intersection. Construction illustrated below.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
GEOMETRIC DESCRIPTION OF ADDITION
R
Q
P
P+Q
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
GEOMETRIC DESCRIPTION OF ADDITION
4. The geometric interpretation of the preceding item also applies
to two points, 𝑃 and −𝑃, with the same 𝑥 coordinate. The points
are joined by a vertical line, which can be viewed as also
intersecting the curve at the infinity point. We therefore have 𝑃 +
−𝑃 = 0 , which is consistent with item (2).
5. To double a point 𝑄 , draw the tangent line and find the other
point of intersection 𝑆. Then 𝑄 + 𝑄 = 2𝑄 = −𝑆
• With the preceding list of rules, it can be shown that the set
𝐸(𝑎, 𝑏) is an abelian group.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
CURVE DOUBLING
Tangent Line to E at P
R
P
2*P
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
ALGEBRAIC DESCRIPTION OF ADDITION
• For two distinct points, 𝑃 = (𝑥𝑃 , 𝑦𝑃 ) and , 𝑄 = (𝑥𝑄 , 𝑦𝑄 ) , that are
not negatives of each other, the slope of the line 𝑙, that joins them
is , Δ = (𝑦𝑄 − 𝑦𝑃 )/(𝑥𝑄 − 𝑥𝑃 ).
• There is exactly one other point where 𝑙 intersects the elliptic
curve, and that is the negative of the sum of 𝑃 and 𝑄 .
• The sum as 𝑃 + 𝑄,
𝑥𝑅 = Δ2 − 𝑥𝑃 − 𝑥𝑄
𝑦𝑅 = Δ(𝑥𝑃 − 𝑥𝑅 ) − 𝑦𝑃
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
ALGEBRAIC DESCRIPTION OF ADDITION
• We also need to be able to add a point to itself: 𝑃 + 𝑃 = 2𝑃 = 𝑅 . When 𝑦𝑃 ≠
0, the expressions are
𝑥𝑅 =
𝑦𝑅 =
3𝑥𝑃2
3𝑥𝑃2
+𝑎
2𝑦𝑃
+𝑎
2𝑦𝑃
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
2
− 2𝑥𝑃
2
− (𝑥𝑃 −𝑥𝑅 ) − 𝑦𝑃
平成33年10月13日
Elliptic Curve Cryptography
• ECC addition is analog of modulo multiply
• ECC repeated addition is analogous to modulo exponentiation
• Need “hard” problem equivalent to discrete log
• 𝑄 = 𝑘𝑃, where 𝑄𝑃 belong to a prime curve
• Is “easy” to compute 𝑄 given 𝑘, 𝑃
• But “hard” to find 𝑘 given 𝑄, 𝑃
• Known as the elliptic curve logarithm problem (ECLP)
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over Real Numbers
• The generalized Weierstrass Equation for an elliptic curve is
𝑦 2 + 𝑏1 𝑥𝑦 + 𝑏2 𝑦 = 𝑥 3 + 𝑎1 𝑥 2 + 𝑎2 𝑥 + 𝑎3
• Elliptic curves over real numbers use a special class of elliptic
curves of the form
𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏
where
4a3 + 27b2 ≠ 0
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over Real Numbers
• Elliptic curves over real numbers use a special class of elliptic
curves of the form
𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏
• The left-hand side has a degree of 2 while the right-hand side has
a degree of 3. This means that a horizontal line can intersects the
curve in three points if all roots are real. However, a vertical line
can intersects the curve at most in two points.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over Real Numbers
Example
• Figure below shows two elliptic curves with equations y2 = x3 − 4x and y2 =
x3 − 1. However, the first has three real roots (x = −2, x = 0, and x = 2), but
the second has only one real root (x = 1) and two imaginary ones.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over Real Numbers
An Abelian (commutative) Group
• All points on an elliptic curve. A tuple 𝑃(𝑥1 , 𝑦1 ) represents a
point on the curve if 𝑥1 and 𝑦1 are coordinates of a point on
the curve that satisfy the equation of the curve.
• For example, the points
𝑃(2, 0), 𝑄(0, 0), 𝑅(−2, 0), 𝑆(10, 30.98) are all points on the
curve
• Each point is represented by two real number
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over Real Numbers
• Set
• We define the set as the points on the curve, where each point
is a pair of real numbers
𝐸 = {(2, 0), (0, 0), (−2, 0), (10, 30.98) (10, −30.98)}
• Operation
• We can define an addition operation on the points of the
curve. Addition operation is different from the integer
addition.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over Real Numbers
Three adding cases in an elliptic curve
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over Real Numbers
Adding in an elliptic curve
𝑦2 − 𝑦1
𝜆=
𝑥2 − 𝑥1
𝑥3 = 𝜆2 − 𝑥1 − 𝑥2
𝑦3 = 𝜆 𝑥1 − 𝑥3 − 𝑦1
(3𝑥12 + 𝑎)
𝜆=
2𝑦1
𝑥3 = 𝜆2 − 𝑥1 − 𝑥2
𝑦3 = 𝜆 𝑥1 − 𝑥3 − 𝑦1
The intercepting point is at infinity; a point O as the point at
infinity or zero point, which is the additive identity of the
group.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝 (𝐺𝐹(𝑝)
Galois Field
• It is a finite field and it consists of a set of integers {0,1,2,3….p-1} where p is
a prime number. Additionally it satisfies the following arithmetic operations
:
1. Addition : if 𝑎, 𝑏 𝐺𝐹(𝑝), then 𝑎 + 𝑏 = 𝑟 where 𝑟 is the remainder of the
division of 𝑎 + 𝑏 by p and 0 ≤ 𝑟 ≤ 𝑝 − 1. This operation is called addition
modulo 𝑝.
2. Multiplication : if 𝑎, 𝑏 𝐺𝐹(𝑝), then 𝑎 . 𝑏 = 𝑠 where 𝑠 is the remainder of
the division of 𝑎 . 𝑏 by p and 0 ≤ 𝑠 ≤ 𝑝 − 1.. This operation is called
multiplication modulo 𝑝.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
• Elliptic curve cryptography makes use of elliptic curves in which the
variables and coefficients are all restricted to elements of a finite field.
• Two families of elliptic curves are used in cryptographic applications:
1. Prime curves over 𝑍𝑝
2. Binary curves over 𝐺𝐹(2𝑚 ).
• For a prime curve over 𝑍𝑝 , we use a cubic equation in which the variables
and coefficients all take on values in the set of integers from 0 through 𝑝 − 1
and in which calculations are performed modulo 𝑝 .
• For a binary curve defined over 𝐺𝐹(2𝑚 ) , the variables and coefficients all
take on values in 𝐺𝐹 2𝑚 and calculations are performed over 𝐺𝐹(2𝑚 ).
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
• Prime curves are best for software applications, because the extended bitfiddling operations needed by binary curves are not required.
• Binary curves are best for hardware applications, where it takes remarkably
few logic gates to create a powerful, fast cryptosystem.
• There is no obvious geometric interpretation of elliptic curve arithmetic
over finite fields. The algebraic interpretation used for elliptic curve
arithmetic over real numbers does readily carry over, and this is the
approach we take.
• For elliptic curves over 𝑍𝑝 , as with real numbers, we limit ourselves to
equations of the form of Equation 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏 but in this case with
coefficients and variables limited to : 𝑦 2 𝑚𝑜𝑑 𝑝 = 𝑥 3 + 𝑎𝑥 + 𝑏 2 𝑚𝑜𝑑 𝑝
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example
• For example, equation 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏 is satisfied for 𝑎 = 1, 𝑏 = 1, 𝑥 =
9, 𝑦 = 7, 𝛼 = 1, 𝑝 = 23
72 𝑚𝑜𝑑 23 = 93 + 9 + 1 2 𝑚𝑜𝑑 23
49 𝑚𝑜𝑑 23 = 739 𝑚𝑜𝑑 23
3=3
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Lets consider the set consisting of all pairs of integers that satisfy
equation 𝑦 2 = 𝑥 3 + 𝑎𝑥 + 𝑏 together with a point at infinity 𝑂.
The coefficients 𝑎 and 𝑏 and the variables 𝑥 and 𝑦 are all elements
of 𝑍𝑝
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example 1
x
x3 x 6
quad res?
• Example: 𝐸: 𝑦 2 = 𝑥 3 + 𝑥 + 6 over ℤ11
0
6
no
1
8
no
2
5
yes
4,7
3
3
yes
5,6
4
8
no
5
4
yes
6
8
no
7
4
yes
2,9
8
9
yes
3,8
9
7
no
10
4
yes
Find all (𝑥, 𝑦) and O :
• Fix x and determine y
• O is an artificial point
Result =12 (𝑥, 𝑦) pairs plus O ,
and have #𝐸 = 13
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
y
2,9
2,9
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example 1(Cont.)
• There are 13 points on the group E(Z11) and so any non-identity point (i.e.
not the point at infinity, noted as O) is a generator of E(Z11).
• Choose generator 𝛽 = 2,7
Compute 2𝛽 = 𝑥3 , 𝑦3 and have
3 x1 a 32 1 13
2 31 2 4 8 mod 11
2 y1
2 7
14
2
2
2
x2 2 x1 8 2 2 5 mod 11
y2 ( x1 x2 ) y1 2 5 8 7 2 mod
2
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
11
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example 1(Cont.)
• There are 13 points on the group E(Z11) and so any non-identity point (i.e.
not the point at infinity, noted as O) is a generator of E(Z11).
𝛽 = 2,7 , 2𝛽 = (5,2)
Compute 3𝛽 = 𝑥3 , 𝑦3 and have
y2 y1 2 7
2 mod 11
x2 x1 5 2
x3 2 x1 x2 2 2 2 5 8 mod 11
y3 ( x1 x3 ) y1 2 8 2 7 3 mod 11
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example 1(Cont.)
• We can therefore compute
4
7
10
(2,7)
2 (5,2)
3 (8,3)
(10,2)
5 (3,6)
6 (7,9)
(7,2)
8 (3,5)
9 (10,9)
(8,8)
11 (5,9)
12 (2,4)
Note: E.g. Computing 9𝛽 can be achieved by
8𝛽 + 𝛽, 5𝛽 + 4𝛽, 6𝛽 + 3𝛽
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example 1(Cont.)
Note: E.g. Computing 9𝛽 can be achieved by
8𝛽 + 𝛽, 5𝛽 + 4𝛽, 6𝛽 + 3𝛽
Try it out!
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
STOP
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Encryption and Decryption
Let’s modify ElGamal encryption by using the elliptic curve 𝐸(𝑍11 .
Suppose that 𝛽 = 2,7 and Bob’s private key k = 7 ,so 7𝛽 = 7,2
Encryption operation is
𝑒𝐾 𝑥, 𝑘 = (𝑘 2,7 , 𝑥 + 𝑘 7,2 )
where 𝑥 ∈ 𝐸 and 0 ≤ 𝑘 ≤ 12
𝑦1
𝑦2
Decryption operation is
𝑑𝐾 𝑦1 , 𝑦2 = 𝑦2 − 7𝑦1
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Encryption and Decryption
Suppose that Alice wishes to encrypt the plaintext 𝑥 = (10,9) (which is a point
on 𝐸).
If she chooses the random value 𝑘 = 3 , then
𝑦1 = 3 2,7 = (8,3)
𝑦2 = 10,9 + 3 7,2 = 10,9 + 3,5 = (10,2)
Hence 𝑦 = ( (8,3, 10,2 )
Now, if Bob receives the ciphertext 𝑦, he decrypts it as follows:
𝑥 = 10,2 − 7(8,3 = 10,2 − 3,5 𝑝
= 10,2 + 3,6 −𝑝
= (10,9)
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example 2
• For example, let 𝑝 = 23 and consider the elliptic curve 𝑦 2 = 𝑥 3 + 𝑥 + 1 . In
this case a = 𝑏 = 1
• For the set E23 (1,1) , we are only interested in the nonnegative integers in
the quadrant from (0,0) through (p − 1, p − 1) that satisfy the equation
mod p
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example: Pairs (x, 𝑦) that satisfy the equation 𝑦 2 = 𝑥 3 + 𝑥 + 1
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Example
Elliptic Curves Over 𝑍𝑝
• Plot of the points of E23 (1,1) ;
note that the points, with one
exception, are symmetric about
𝑦 = 11.5.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
• A finite abelian group can be defined based on the set Ep (a, b) provided that
(𝑥 3 +𝑎𝑥 + 𝑏) 𝑚𝑜𝑑 𝑝 has no repeated factors.
• This is equivalent to the condition (4𝑎3 +27𝑏2 ) 𝑚𝑜𝑑 𝑝 ≠ 0 𝑚𝑜𝑑 𝑝
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Example
Elliptic Curves Over 𝑍𝑝
• The rules for addition over Ep (a, b) , correspond to the algebraic technique
described for elliptic curves defined over real numbers. For all points
P, Q ∈ Ep (a, b)
1. P + O = P
2. If P = (xP , yP ), then P + xP , −yP = O. The point xP , −yP is the negative
of P, denoted as −P.
Example: In E23 (1,1) for P(13,7), we have −P = 13, −7 . But −7mod 23 = 16
which is also in E23 (1,1) . Therefore −P = 13,16 which is also in E23 (1,1)
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example
3. If P = (xP , yP ) and Q = (xQ , yQ ) with P ≠ 𝑄, then R = P + 𝑄 = (xR , yR ) is
determined by the following rules
xR = 𝜆2 − 𝑥𝑃 − 𝑥𝑄 𝑚𝑜𝑑 𝑝
yR = 𝜆 𝑥𝑃 − 𝑥𝑅 − 𝑦𝑃 𝑚𝑜𝑑 𝑝
𝑦𝑄 −𝑦𝑃
Where 𝜆
𝑥𝑄 −𝑥𝑃
2
3𝑥𝑃
+𝑎
2𝑦𝑃
𝑚𝑜𝑑 𝑝 𝑖𝑓𝑃 ≠ 𝑄
𝑚𝑜𝑑 𝑝𝑖𝑓𝑃 = 𝑄
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Example
Elliptic Curves Over 𝑍𝑝
4. Multiplication is defined as repeated addition; for example, 4𝑃 = 𝑃 + 𝑃 +
𝑃+𝑃
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Example
Elliptic Curves Over 𝑍𝑝
For example, let 𝑃 = (3,10) and Q = (9,7)and inE23 (1,1) . Then
7 − 10
−3
−1
𝜆=
𝑚𝑜𝑑 23 =
𝑚𝑜𝑑 23 =
𝑚𝑜𝑑 23 = 11
9−3
6
2
𝑥𝑅 = 112 − 3 − 9 𝑚𝑜𝑑 23 = 109 𝑚𝑜𝑑 23 = 17
𝑦𝑅 = 11(3 − 17 = 10)𝑚𝑜𝑑 23 = −164 𝑚𝑜𝑑 23 = 20
So P + Q = (17,20). To find 2P
3 32 + 1
5
1
𝜆=
𝑚𝑜𝑑 23 =
𝑚𝑜𝑑 23 =
𝑚𝑜𝑑 23 = 6
2 × 10
20
4
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Example
Elliptic Curves Over 𝑍𝑝
𝐸: 𝑦 2 = 𝑥 3 − 25𝑥
P ( x1 , y1 ) (0,0), Q ( x2 , y2 ) (5,0), P Q ( x3 , y3 )
Addition
y2 y1
00
0
x2 x1
50
x3 2 x1 x2 0 2 0 5 5
y3 ( x1 x3 ) y1 0 5 0 0 0
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Example
𝐸: 𝑦 2 = 𝑥 3 − 25𝑥
P ( x1 , y1 ) (4,6), 2 P ( x2 , y2 )
Doubling
3 x1 a
2 y1
2
2
3 4 25 23
2 6
12
2
1681
23
x2 2 x1
2 4
144
12
1681 23
62279
y2 ( x1 x2 ) y1 4
6
144 12
1728
2
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over 𝑍𝑝
Finding an Inverse
• The inverse of a point (𝑥, 𝑦) is (𝑥, −𝑦), where −𝑦 is the additive
inverse of 𝑦. For example, if p = 13, the inverse of (4, 2) is (4, 11).
• For multiplicative inverses: use Extended Euclidean Algorithm
Finding Points on the Curve
• Algorithm below shows the pseudocode for finding the points on
the curve Ep(a, b).
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over GF(p)
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over GF(p)
• The equation is y2 = x3 + x + 1 and the calculation is done
modulo 13. 𝑥1 = 𝑥2 and 𝑦1 + 𝑦2 𝑚𝑜𝑑 𝑝 = 0
Points on an elliptic
curve over GF(p)
where p is 13
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over GF(p)
Example
• Add two points R = P + Q, where P = (4, 2) and Q = (10, 6).
1. λ = (6 − 2) × (10 − 4)−1 mod 13 = 4 × 6−1 mod 13 = 5 mod 13.
2. x = (52 − 4 −10) mod 13 = 11 mod 13.
3. y = [5 (4 −11) − 2] mod 13 = 2 mod 13.
4. R = (11, 2), which is a point on the curve.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over GF(p)
Example 2
How about E23(1,1), let P=(3, 10) and Q=(9,7)
P + Q?
2P?
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Elliptic Curves Over GF(p)
Example 2
• How about computing 3895P?
3895 P
P
P
P
3894 additions needed
1111001101 112 P
2(2(2(2(2(2(2(2(2(2(2 P P) P) P))) P) P)) P) P) P
11 doublings and 8 additions needed
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Security for EC
• RSA and ElGamal are secure asymmetric-key cryptosystems
• Security comes with a price, their large keys.
• Algorithms for integer factorization: becoming more and more efficient, the RSA
based methods have had to resort to longer and longer keys.
• ECC: Smaller key sizes involved: Implemented on smartcards without
mathematical co-processors ⟶
1. Doesn’t require too much induction energy.
2. Faster handshaking protocols,
• ECC is also becoming increasingly important for wireless communications
(wireless sensor networks).
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Security for EC : ECDLP
• Basic computation of ECC
• 𝑄 = 𝑘𝑃 = 𝑃 + 𝑃 + ⋯ + 𝑃 (𝑘 𝑡𝑖𝑚𝑒𝑠) where P is a curve point, k is an
integer
• Strength of ECC
• Given curve, the point 𝑃, and 𝑘𝑃
It is hard to recover 𝑘
Elliptic Curve Discrete Logarithm Problem (ECDLP)
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Security for ECC vs RSA/ElGamal
•
Elliptic curve cryptosystems give the most security per bit of any known
public-key scheme.
•
The ECDLP problem appears to be much more difficult than the integer
factorisation problem and the discrete logarithm problem of ℤ𝑝 .
•
The strength of elliptic curve cryptosystems grows much faster with the
key size increases than does the strength of RSA.
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Security for ECC vs RSA/ElGamal
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
Advantages of ECC
ECC is particularly beneficial for application where:
•
Computational power is limited (wireless devices, PC cards)
•
Integrated circuit space is limited (wireless devices, PC cards)
•
High speed is required.
•
Intensive use of signing, verifying or authenticating is required.
•
Signed messages are required to be stored or transmitted (especially for
short messages).
•
Bandwidth is limited (wireless communications and some computer
networks).
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
ICS 2314: CRYPTOGRAPHY and COMPUTER SECURITY by Harriet Ratemo
平成33年10月13日
