Project in Computer Security

advertisement
Efficient generation of
cryptographically strong elliptic curves
Shahar Papini
Michael Krel
Instructor : Barukh Ziv
1

The project objective is to provide an efficient
algorithm for creation of cryptographically
strong elliptic curve for various
cryptographical purposes. (Basically anything
that uses a group structure and relies on the
difficulty of discrete logarithm)
2
Public-key cryptography is based on the
intractability of certain mathematical problems.
Early schemes such as Diffie-Hellman rely on
the difficulty of the Discrete Logarithm
Problem for a finite field F[p].
Although no known polynomial time algorithms
are known for this problem, a few subexponential algorithms exist. That’s where
Elliptic curves come into the picture.
3


Elliptic curve introduce a group structure,
where no known sub-exponential algorithms
are known for the Discrete Logarithm Problem.
Moreover, the basic action on this group is
much more complex then in the F[p] case.
For comparison between encryption using F[p]
(e.g. RSA), and using EC, to achieve the same
level of security we will need 256-bit key size
for EC, where RSA will need 3072-bit public
keys.
4
An elliptic curve is the locus of points over the
field (usually F[p]) which hold the equation :
y  x  Ax  B
2
3
These points form a group under the following
group action (for distinct x values):
  y  y 2

 y2  y1 
2
1

  x1  x2 , 
( x1  x3 )  y1 
( x1 , y1 )  ( x2 , y2 )  
  x2  x1 

x2  x1 



5
The intuition behind this definition is the
following:
6
The strength of an elliptic curve is determined by
its order.
Elliptic curve will be called strong if its order is
n∙p where p is a large prime and n is a small
number (usually less than 10).
Finding the order of an elliptic curve is difficult
problem.
The goal of our project is to be able to generate
such elliptic curves in an efficient manner.
7
There are two main approaches to the problem of
generating strong elliptic curves:
Point counting: The idea behind this approach is to
randomly generate curves of the desired field, and
count its order using Point Counting
algorithms(usually slow).
Complex multiplication: Here, we try to anticipate
from advanced the desired order of the curve, and
using this, generate a curve accordingly. Unlike
the former method, we will not be able to generate
every possible curve, only curves from some
constrained subset.
8



We chose the Complex Multiplication
approach. We had a few reasons:
Point counting algorithms are slower than the
CM algorithms and since we want the fastest
way to create elliptic curve we must choose the
faster method.
We saw that we have more room for exploring
the CM algorithm.
9


Generation of strong elliptic curves of 200-300
bit in a few seconds.
Encryption and decryption of data around 3
kilobytes in less than 5 seconds.
10

There are three ways to represent points on the
elliptic curve.
1.
2.
3.
The standard method is to save the coordinates as
they are (X,Y) that they hold the elliptic curve
equation: y 2  x3  Ax  B
The Jacobian projective coordinates that save three
numbers for each point (X,Y,Z) where the standard
coordinates are (X/Z²,Y/Z³).
The compressed method which saves only sign and
X value. From the equation we can calculate Y².
There are two corresponding Y values, that differ by
sign alone. So, we keep the sign as well.
11


We used the jacobian method for all the
computations for points on the curve. In this
method the calculations are more efficient than
in the other methods.
In the encryption the cipher text (represented
by group points) we used compressed
coordinates in order to reduce the file size.
12



General idea: with a given prime P and a
negative Discriminant D we seek a solution for
the diophantic equation : 4 p  u 2  Dv 2
If a solution exists, then we can construct two
elliptic curves of orders p 1  u
If one of the orders is cryptographically strong
we construct an elliptic curve with such order
using a root modulo p of the Hilbert class
polynomial corresponding to D.
13



Calculating Hilbert class polynomials takes a
great amount of time since the coefficients are
very big numbers (magnitude of P).
To avoid that problem we constructed Weber
class polynomials, found a root modulo P and
converted it to a root modulo P of the
corresponding Hilbert class polynomial.
Using the Weber polynomials we avoid the
coefficients problem since the Weber
coefficients are much smaller.
14


We use the El-Gamal algorithm.
To generate a key, first find a point P on an
elliptic curve. Then generate a random integer
s. (P, s) is the private key. (P, sP) is the public
key. To send a message M, one finds a random
integer k, and transmits (M+k(sP), kP). To
decrypt, we calculate (M+k(sP))–s(kP).
15
Calculate Weber polynomial
of order D, modulo p
Pick a random prime p
Out of proper D values
Find a root and transform into
Pick a proper descriminant D
a Hilbert polynomial root
less than 2000
No solution
Find corresponding curve
parameters
Solve 4p=u^2-Dv^2
Find a point on the curve
Check if either p-1+u or p-1-u
with a large order
is a strong order
No
16
17
EC generation time
9
8
7.5
7.8
7
6
Seconds
5
200b
4
3.5
3
3.7
300b
3.7
3.3
400b
2.9
2.6
2.7
2.1
2
1.6
1.4
1
0.6
0.6
0.9
0.4
0
0
2
4
0.9
0.5
0.8
0.3
0.8
0.4
6
0.2
8
1.1
0.3
0.8
0.3
10
12
Max Divisor
18
Encryption time
7
6
5
4
Seconds
200b
3
300b
400b
2
1
0
0
500
1000
1500
2000
2500
3000
3500
4000
4500
Message size in bytes
19
Decryption time
3.5
3
2.5
2
Seconds
200b
1.5
300b
400b
1
0.5
0
0
500
1000
1500
2000
2500
3000
3500
4000
4500
Message size in bytes
20


The project is designed to work on Windows
and we written in C++.
We used two external libraries for cpp:


NTL which handles big integers and integers
modulo P. We used this library since we needed to
handle with 200-300 bit numbers.
ARPREC which handles big floats with arbitrary
precision. This library handles with complex
numbers which we use to construct Weber class
polynomials.
21








Guide To Elliptic Curve Cryptography – Hankerson
Prime numbers a computational perspective - Crandall
Elliptic Curves Number Theory and Cryptography Lawrence C. Washington
On the Use of Weber Polynomials in Elliptic Curve
Cryptography – Konstantinou, Stamatiou , Zaroliagis
Elliptic curves and primality proving – Atkin, Morain
A Course in Computational Algebraic Number Theory
- Henri Cohen
On the Efficient Generation of Elliptic Curves over
Prime Fields - Konstantinou, Stamatiou , Zaroliagis
IEEE P1363 / D13
22
23
Download