CH K S TRN NG CONG ELLIPTIC-MT GII PHP THAY

TH CHO CH K S TIU CHUN RSA TRONG TNG LAI

ThS. V Duy Hin
Khoa H thng thng tin qun l Hc vin Ngn hng
Tm tt: Trong x hi bng n thng tin ngy nay, xu hng ng dng cng ngh
thng tin c xem l yu t quan trng thc y nn kinh t pht trin, gip cho cc
doanh nghip, t chc tng tnh cnh tranh v cc giao dch c d dng thc hin m
khng b gii hn v kha cnh a l. Ch k s l gii php cng ngh khng th thiu
trong mi trng internet hin i, em li cho doanh nghip, t chc rt nhiu li ch
nh: tit kim chi ph, thi gianT nhng nm 2000, lut v ch k s c nhiu
quc gia cng nh t chc cng b v chun ch k s c s dng rng ri t n
nay c xy dng trn h tng m ha kha cng khai RSA. i vi ch k s ny, cc
t chc v c nhn hon ton d dng s dng tuy nhin chng ta phi nh i gia hai
tham s: thi gian to ra ch k v an ton ca ch k. Trong bi bo ny, tc gi gii
thiu mt ch k s mi c th cn bng hai tham s k trn tt hn so vi chun ch k
RSA.

1
I. t vn
Nh nu, ch k s RSA c xy dng da trn h m ha kha cng khai
RSA. an ton ca h m ha ny ph thuc vo kh ca bi ton phn tch mt s
n ra tha s nguyn t n = p*q [1]. Ni cch khc, c th s dng h m ha RSA
cng nh ch k s RSA mt cch an ton, ngi dng cn phi la chn hai s nguyn
t p v q ln sao cho bi ton phn tch ra tha s k trn kh khng b ph v
trong thi gian a thc. Tuy nhin vi s pht trin tut bc ca nng lc tnh ton ca
my tnh, nm 2005, s ln nht c th c phn tch ra tha s nguyn t c di 663
bit vi phng php phn tn; nm 2010, cc nh khoa hc thuc i hc Michigan
cng b pht hin cch ph v h thng RSA v ly kho c di 1024 bit ch trong vi
ngy. Do , cc nh nghin cu khuyn co ngi dng la chn kha c di ti
thiu l 2048 bit. Bn cnh , bn thn h m ha kha cng khai RSA c tc thc
hin chm hn ng k so vi DES, AES v cc thut ton m ha i xng khc. V
vy, mt i hi cp thit l cn tm ra ch k s mi c tc thc hin nhanh hn ch
k s RSA trong khi vn m bo c an ton ca ch k ngi s dng.

Ch k s da trn mt m ng cong Elliptic (ECDSA) c gii thiu ln u

vo nm 1991 bi cc cng trnh nghin cu c lp ca Neals Koblitz v Victor Miller.
T nhng nm 2000, cc nc M, Nga, Nht Bn, Hn Quc v mt s nc Chu u
u t nghin cu v vn ny v a vo cc h thng tiu chun nh ISO, ANSI,
IEEE, SECG, FIPS. Mt trong nhng quc gia s dng ECDSA nhiu nht l Lin bang
Nga. Nm 2001, Nga a ra chun ch k s GOST R34-10-2001 s dng mt m
Elliptic vi di kha 256 bit. Phin bn mi nht ca Nga v ch k s l GOST R34-
10 nm 2012 vi di kha trong khong t 256 bit n 512 bit. Trong phn tip theo,
tc gi s trnh by chi tit v ch k s trn ng cong Elliptic.

II. ng cong Elliptic v ch k s trn ng cong Elliptic

2.1. Khi nim ng cong Elliptic
2.1.1. nh ngha ng cong Elliptic theo cng thc Weierstrass

ng cong elliptic E trn trng K l tp hp cc im (x, y) KxK tha mn

phng trnh:

y2 + a1xy + a3y = x3+ a2x2 + a4x + a6 (ai K v 4a43+27a620)

Vi mt im O gi l im ti v cng [2].
2.1.2. ng cong Elliptic trn trng s thc R

2
2.1.2.1. nh ngha

ng cong elliptic E trn trng s thc R l tp hp cc im (x,y) R2 tha

mn phng trnh:

y2 = x3 + ax + b (a, b R v 4a3 + 27b2 0)

Vi mt im O gi l im ti v cng.
2.1.2.2. Php cng
- V kha cnh hnh hc, xc nh im R = P+Q (PO, QO, PQ), ta ni P v
Q bng ng thng L. ng thng L ct ng E ti ba im P, Q v R(x, y). im
R(x, y) s c tung l gi tr i ca y.

Hnh 1-Php cng trn ng cong Elliptic

- V kha cnh i s, xc nh im R(xR, yR) = P(xP, yP) + Q (xQ, yQ) vi PO,
QO, PQ, ta tnh xR v yR nh sau [2]:
(yQ yP)
=
(xQ xP)

xR = 2 xP xQ

3
 yR = yP + (xP xR)

V d: xt ng cong Elliptic: y2 = x3 - x trn trng s thc, P(-1, 0) E v

Q(0,0) E. Tnh theo cng thc trn ta c:

= 0; xR = 1 v yR = 0. Vy P + Q = R(1, 0) E
- im ti v cng O l im cng vi bt k im no cng s ra chnh im .
Ngha l: P E, P+O = O+P = P

- im i xng ca P(xP, yP) E l -P(xP, -yP) E v P+ (-P) = O.

V d: xt ng cong Elliptic: y2 = x3 - x trn trng s thc, P(2, 6) E th

im i xng ca P l -P(2, 6) E.

2.1.2.3. Php nhn i

- V kha cnh hnh hc, xc nh im R= 2P = P+P, ta v tip tuyn L ca
ng cong elliptic ti im P, im R l giao im cn li ca L vi E v R = 2P =
P+P.

Hnh 2-Php nhn i trn ng cong Elliptic

4
 - V kha cnh i s, xc nh im R(xR, yR) = 2P(xP, yP) vi yP 0, ta tnh xR
v yR nh sau [2]:
2
3 +a 2
xR = ( ) 2xP
2

2
3 +a
yR = ( )( xP xR) yP
2

V d: xt ng cong Elliptic: y2 = x3 - x trn trng s thc, P(2, 6) E th 2P

25 35
= R E vi xR = v yR =
24 486

- M rng ra, php nhn kP thc hin bng cch lp k ln php cng.
2.1.3. ng cong Elliptic trn trng Zp vi p l s nguyn t
2.1.3.1. nh ngha
Cho p l s nguyn t (p > 3), ng cong elliptic E trn trng Zp l tp hp cc
im (x,y) Zp x Zp tha mn phng trnh:

y2 mod p = (x3 + ax + b) mod p (a, b Zp v 4a3 + 27b2 mod p 0)

Vi mt im O gi l im ti v cng [18].
2.1.3.2. Php cng
- xc nh im R(xR, yR) = P(xP, yP) + Q (xQ, yQ), ta tnh xR v yR nh sau [2]:

= mod p

xR = (2 xP xQ) mod p

yR = (( xP xR) yP) mod p

V d: xt ng cong Elliptic: y2 mod 23 = (x3+x+1) mod 23 trn trng Z23 vi
P(3, 10) E v Q(9, 7) E. Tnh theo cng thc trn ta c:

= [(7-10)/(9-6)] mod 23 = (-1/2) mod 23 = 11 do 2*11 -1 (mod 23)

xR = (121-12) mod 23 = 17 v yR = -164 mod 23 = 20

Vy P+Q = R(17, 20) E

5
 - im ti v cng O l im cng vi bt k im no cng s ra chnh im .
Ngha l: P E, P+O = O+P = P.

- im i xng ca P(xP, yP) E l -P(xP, yP) E tha mn cc iu kin: yP

ZP sao cho (yP + yP) mod p = 0; P+ (-P) = O.
V d: xt ng cong Elliptic: y2 mod 23 = (x3+x+1) mod 23 trn trng Z23,
P(13, 7) E. im i xng ca P l P(13, 16) E v 16 Z23 v (16+7) mod 23 = 0.

2.1.3.3. Php nhn i

- xc nh im R(xR, yR) = 2P(xP, yP) vi yP 0, ta tnh xR v yR nh sau [2]:
2
3 +
= mod p
2

xR = (2 2xP) mod p

yR = (( xP xR) yP) mod p

V d: xt ng cong Elliptic: y2 mod 23 = (x3+x+1) mod 23 trn trng Z23 vi
P(3, 10) E. Tnh theo cng thc trn ta c:
28 5
= ( ) mod 23 = ( ) mod 23 = (4-1) mod 23 = 6 do 6*4 1 (mod 23)
20 20

xR = (36-6) mod 23 = 7 v yR = -34 mod 23 = 12. Vy 2P = R(7,12) E

- M rng ra, php nhn kP nhn c bng cch thc hin k ln php cng.
2.2. Ch k s trn h mt ng cong Elliptic
2.2.1. Chun b tham s
thit lp s ch k ECDSA, ta chn ng cong elliptic E trn trng Fq vi
O l im v cng, im c s G E v n l bc ca G (nG = O).

2.2.2. To kha

1. Chn s ngu nhin d [2, n 1] lm kha b mt.

2. Tnh Q(xQ, yQ) = dG lm kha cng khai.
2.2.3. K s trn bn r m

1. Chn mt s ngu nhin k [2, n 1]

6
 2. Tnh im kG = (x1, y1)
3. Tnh r = x1 mod n. Nu r = 0, quay li bc 1.
4. Tnh k-1 (theo mod n)
5. Tnh s = [k-1 (m + dr)] mod n. Nu s = 0 quay li bc 1.
2.2.4. Kim tra ch k

1. Kim tra r v s c l cc s t nhin [2, n 1] khng?

2. Tnh w = s-1 (theo mod n)
3. Tnh u1 = mw mod n v u2 = rw mod n
4. Tnh X = u1G + u2Q = (xX, yX)
5. Nu X = O th ph nhn ch k. Ngc li tnh v = xX mod n.
6. Ch k ch c chp nhn nu v = r.
Qu trnh kim tra ch k c thc hin nh trn bi:
Nu ch k (r, s) trn m l ng th s = [k-1 (m + dr)] mod n.

k s-1 (m + dr) s-1m + s-1 rd wm + wrd u1 + u2d (mod n).

V vy, u1G + u2Q = (u1 + u2d)G = kG, v v vy v = r.
2.2.5. V d minh ha
2.2.5.1. Chun b tham s
Chn ng cong elliptic E: y2 = x3 + x + 1 trn trng Z23, im v cng O, im
c s G(17, 3).
Tnh bc n ca G:
Ta c 2G = (13, 16); 4G = (5, 19); 6G = (17, 20) = -G; 7G = G + (-G) = O
Suy ra n = 7 l bc ca G.
2.2.5.2. To kha
1. Chn s ngu nhin d = 6 lm kha b mt.
2. Tnh Q(xQ, yQ) = 6G = (17, 20) lm kha cng khai.
2.2.5.3. K s trn bn r m
7
 1. Chn mt s ngu nhin 2 [2, 6]
2. Tnh im 2G = (13, 16)
3. Tnh r = 13 mod 7 = 6.
4. Tnh 2-1 (mod 7) = 4 v 2*4 mod 7 = 1
5. Tnh s = 4 (5 + 6*6) mod 7 = 3 0
6. Ch k trn thng ip m l (6, 3)
2.2.5.4. Kim tra ch k
1. r = 6 v s = 3 trong khong [2, 6].
2. Tnh w = 3-1 (mod 7) = 5 v 3*5 mod 7 = 1
3. Tnh u1 = 5*5 mod 7 = 4 v u2 = 6*5 mod 7 = 2
4. Tnh X = 4G + 2Q = (5, 19) + 2 (17, 20) = (5, 19) + (13, 7) = (13, 16)
5. V X O nn tnh v = 13 mod 7 = 6.
6. v = r nn ch k l ng!
III. Cc vn ca ch k s trn ng cong Elliptic
an ton ca s ch k ECDSA tng ng vi phc tp ca bi ton logarit
ri rc trn ng cong elliptic: cho trc hai im Q v G nm trn ng cong elliptic
E, tm s t nhin d sao cho Q = dG.
Cho n nay s ch k ECDSA c ch ra l kh an ton v hiu qu. i
vi bi ton logarit ri rc ng cong elliptic th c nhiu thut ton gii n. Ngi ta
phn tch v ch ra rng vi cng an ton, h m ho da trn bi ton logarit ri rc
ng cong elliptic c di kho ngn hn rt nhiu so vi h m ho da trn bi ton
phn tch s nguyn thnh cc tha s nguyn t (nh RSA). V d vi h m ho RSA
c chiu di kho l 3248 bit th h mt ng cong elliptic ch cn di kho 256 bit
s c an ton tng ng.
Thut ton gii bi ton logarit ri rc ng cong elliptic tt nht tnh n trc
nm 2006 l thut ton Pollards Rho [3], phin bn thit k theo hng tnh ton song
song. n nm 2006, Jung Hee Cheon a ra mt tn cng hiu qu hn hn thut
ton Pollard s dng gi thuyt Diffie-Hellman mnh [3]. Tn cng ny p dng i vi

8
cc lc mt m m to ra mt b tin on c th tr v ly tha kha b mt ca n
vi mt u vo bt k (v d nh lc ch k s m s dng trong an ton giao dch
in t). n nm 2009, tn cng ny mi c xem xt a vo chun ISO v FIPS.
Cc chun khc nh ANSI hoc SECG khng c cp nht v tn cng. Ngay c trong
chun ISO v FIPS, cc iu kin a ra i vi tiu chun chng tn cng ny cng c
nhng im khc nhau c bn. Nm 2012, s dng gi thuyt Diffi-Hellman, Masaya
Yasuda v cc cng s [4] a ra mt bng chng ph v mt m elliptic da trn cp
(pairing-based cryptography) vi di kha l 160 bit ( di kha 131 bit hin vn
cha gii c theo cc cng b cng khai, 160 bit l an ton m hu ht cc chun
trn th gii a ra).
Do , ng dng v trin khai ch k s trn ng cong Elliptic, chng ta phi
thng xuyn cp nht nhng nghin cu phn tch v nh gi mi nht v cc tiu
chun an ton, cc tn cng i vi h mt c c s l thuyt, c s ton hc vng
chc, a ra cc tiu chun an ton ring cho cc tham s.

9
Ti liu tham kho

[1] T. N. Tin, An ton d liu, NXB HQGHN, 2009.

[2] W. Stallings, Cryptography And Network Security 5th Edition, Prentice Hall Pearson
Education, Inc, 2011.

[3] J. M. Pollard, "A Monte Carlo method for factorization," BIT Numerical Mathematics 15
(3), 1975, p. 331334.

[4] J. H. Cheon, "Security Analysis of the Strong Die-Hellman Problem," in Annual

International Conference on the Theory and Applications of Cryptographic Techniques,
2006.

[5] Yumi Sakemi, Goichiro Hanaoka, Tetsuya Izu, Masahiko Takenaka, Masaya Yasuda,
"Solving a discrete logarithm problem with auxiliary input on a 160-bit elliptic curve,"
in International Workshop on Public Key Cryptography, 2012.

10