Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel Instructor : Barukh Ziv 1 The project objective is to provide an efficient algorithm for creation of cryptographically strong elliptic curve for various cryptographical purposes. (Basically anything that uses a group structure and relies on the difficulty of discrete logarithm) 2 Public-key cryptography is based on the intractability of certain mathematical problems. Early schemes such as Diffie-Hellman rely on the difficulty of the Discrete Logarithm Problem for a finite field F[p]. Although no known polynomial time algorithms are known for this problem, a few subexponential algorithms exist. That’s where Elliptic curves come into the picture. 3 Elliptic curve introduce a group structure, where no known sub-exponential algorithms are known for the Discrete Logarithm Problem. Moreover, the basic action on this group is much more complex then in the F[p] case. For comparison between encryption using F[p] (e.g. RSA), and using EC, to achieve the same level of security we will need 256-bit key size for EC, where RSA will need 3072-bit public keys. 4 An elliptic curve is the locus of points over the field (usually F[p]) which hold the equation : y x Ax B 2 3 These points form a group under the following group action (for distinct x values): y y 2 y2 y1 2 1 x1 x2 , ( x1 x3 ) y1 ( x1 , y1 ) ( x2 , y2 ) x2 x1 x2 x1 5 The intuition behind this definition is the following: 6 The strength of an elliptic curve is determined by its order. Elliptic curve will be called strong if its order is n∙p where p is a large prime and n is a small number (usually less than 10). Finding the order of an elliptic curve is difficult problem. The goal of our project is to be able to generate such elliptic curves in an efficient manner. 7 There are two main approaches to the problem of generating strong elliptic curves: Point counting: The idea behind this approach is to randomly generate curves of the desired field, and count its order using Point Counting algorithms(usually slow). Complex multiplication: Here, we try to anticipate from advanced the desired order of the curve, and using this, generate a curve accordingly. Unlike the former method, we will not be able to generate every possible curve, only curves from some constrained subset. 8 We chose the Complex Multiplication approach. We had a few reasons: Point counting algorithms are slower than the CM algorithms and since we want the fastest way to create elliptic curve we must choose the faster method. We saw that we have more room for exploring the CM algorithm. 9 Generation of strong elliptic curves of 200-300 bit in a few seconds. Encryption and decryption of data around 3 kilobytes in less than 5 seconds. 10 There are three ways to represent points on the elliptic curve. 1. 2. 3. The standard method is to save the coordinates as they are (X,Y) that they hold the elliptic curve equation: y 2 x3 Ax B The Jacobian projective coordinates that save three numbers for each point (X,Y,Z) where the standard coordinates are (X/Z²,Y/Z³). The compressed method which saves only sign and X value. From the equation we can calculate Y². There are two corresponding Y values, that differ by sign alone. So, we keep the sign as well. 11 We used the jacobian method for all the computations for points on the curve. In this method the calculations are more efficient than in the other methods. In the encryption the cipher text (represented by group points) we used compressed coordinates in order to reduce the file size. 12 General idea: with a given prime P and a negative Discriminant D we seek a solution for the diophantic equation : 4 p u 2 Dv 2 If a solution exists, then we can construct two elliptic curves of orders p 1 u If one of the orders is cryptographically strong we construct an elliptic curve with such order using a root modulo p of the Hilbert class polynomial corresponding to D. 13 Calculating Hilbert class polynomials takes a great amount of time since the coefficients are very big numbers (magnitude of P). To avoid that problem we constructed Weber class polynomials, found a root modulo P and converted it to a root modulo P of the corresponding Hilbert class polynomial. Using the Weber polynomials we avoid the coefficients problem since the Weber coefficients are much smaller. 14 We use the El-Gamal algorithm. To generate a key, first find a point P on an elliptic curve. Then generate a random integer s. (P, s) is the private key. (P, sP) is the public key. To send a message M, one finds a random integer k, and transmits (M+k(sP), kP). To decrypt, we calculate (M+k(sP))–s(kP). 15 Calculate Weber polynomial of order D, modulo p Pick a random prime p Out of proper D values Find a root and transform into Pick a proper descriminant D a Hilbert polynomial root less than 2000 No solution Find corresponding curve parameters Solve 4p=u^2-Dv^2 Find a point on the curve Check if either p-1+u or p-1-u with a large order is a strong order No 16 17 EC generation time 9 8 7.5 7.8 7 6 Seconds 5 200b 4 3.5 3 3.7 300b 3.7 3.3 400b 2.9 2.6 2.7 2.1 2 1.6 1.4 1 0.6 0.6 0.9 0.4 0 0 2 4 0.9 0.5 0.8 0.3 0.8 0.4 6 0.2 8 1.1 0.3 0.8 0.3 10 12 Max Divisor 18 Encryption time 7 6 5 4 Seconds 200b 3 300b 400b 2 1 0 0 500 1000 1500 2000 2500 3000 3500 4000 4500 Message size in bytes 19 Decryption time 3.5 3 2.5 2 Seconds 200b 1.5 300b 400b 1 0.5 0 0 500 1000 1500 2000 2500 3000 3500 4000 4500 Message size in bytes 20 The project is designed to work on Windows and we written in C++. We used two external libraries for cpp: NTL which handles big integers and integers modulo P. We used this library since we needed to handle with 200-300 bit numbers. ARPREC which handles big floats with arbitrary precision. This library handles with complex numbers which we use to construct Weber class polynomials. 21 Guide To Elliptic Curve Cryptography – Hankerson Prime numbers a computational perspective - Crandall Elliptic Curves Number Theory and Cryptography Lawrence C. Washington On the Use of Weber Polynomials in Elliptic Curve Cryptography – Konstantinou, Stamatiou , Zaroliagis Elliptic curves and primality proving – Atkin, Morain A Course in Computational Algebraic Number Theory - Henri Cohen On the Efficient Generation of Elliptic Curves over Prime Fields - Konstantinou, Stamatiou , Zaroliagis IEEE P1363 / D13 22 23