This action might not be possible to undo. Are you sure you want to continue?

# THE TECHNOLOGY STREAM

**Elliptic Curve Cryptography
**

Burt Kaliski Chief Scientist and Director RSA Laboratories

Outline

I. Elliptic curves II. Elliptic curve cryptosystems III. Advantages and disadvantages IV. Standardization efforts

THE TECHNOLOGY STREAM

Notation

• GF(q) or Fq: finite field with q elements

– typically, q = p where p is prime, or 2m

THE TECHNOLOGY STREAM

• E(Fq): elliptic curve over Fq • (x, y): point on E(Fq) • O: point at infinity

Acronyms • EC = Elliptic Curve – as in EC Digital Signature Algorithm THE TECHNOLOGY STREAM • ECC = Elliptic Curve Cryptography .

THE TECHNOLOGY STREAM Part I: Elliptic Curves .

together with a point at infinity denoted O • Originally developed to measure circumference of an ellipse THE TECHNOLOGY STREAM . y) to an equation of the form y2 = x3 + ax + b where 4a3 + 27b2 ≠ 0.Elliptic Curves • An elliptic curve is the set of solutions (x.

the solutions form a curve with one or two components • Example: y2 = x3-x THE TECHNOLOGY STREAM .An Example Curve • Over the reals.

Elliptic Curve Arithmetic • A group law may be defined where the sum of two points is the reflection across the x-axis of the third point on the same line • “Chords and tangents” THE TECHNOLOGY STREAM .

Group Law Axioms • Closure • Identity: P+O=O+P=P • Inverse: (x. -y) = O • Associativity • Commutativity THE TECHNOLOGY STREAM . y) + (x.

x1 .Addition Formulae • Let P1 = (x1.x3) . y1) and P2 = (x2. y2) be noninverses • Then P1 + P2 = (x3.x2 y3 = λ (x1 .y1 and λ is the slope of the line: λ = (3x12+a)/2y1 if x1 = x2 λ = (y2-y1)/(x2-x1) otherwise . y3) where x3 = λ 2 THE TECHNOLOGY STREAM .

the curve has a different form: y2 + xy = x3 + ax2 + b where b ≠ 0 • Addition formulae are similar to those over the reals THE TECHNOLOGY STREAM .Elliptic Curves over Finite Fields • An elliptic curve may be defined over any finite field GF(q) • For GF(2m).

including O • Hasse bound: #E(Fq) = q+1-t. where |t| ≤ 2 sqrt(q) • The group of points is either cyclic or a product of two cyclic groups THE TECHNOLOGY STREAM .Group Properties • Let #E(Fq) denote the number of points on an elliptic curve E(Fq).

nP = O where n = #E(Fq) THE TECHNOLOGY STREAM .Scalar Multiplication • Scalar multiplication is repeated group addition: cP = P + ··· + P (c times) where c is an integer • For all P ∈ E(Fq).

Elliptic Curve Research Areas • EC over finite fields has been an increasing focus of research 1. scalar multiplication – including finite field arithmetic THE TECHNOLOGY STREAM 2. Cryptographic properties . Efficient curve generation 3. Efficient elliptic curve arithmetic.

Some Interesting Applications • Factoring (Lenstra 1985) – running time of Elliptic Curve Method (ECM) depends on size of prime factors of a number. ideal for “smooth” numbers THE TECHNOLOGY STREAM • Primality proving (Goldwasser-Kilian 1986) – under number-theory assumptions. method for proving primality in random polynomial time • Fermat’s Last Theorem .

Analogy with Multiplicative Groups Elliptic Curve Group point addition scalar multiplication elliptic curve discrete logarithm Multiplicative Group multiplication exponentiation discrete logarithm THE TECHNOLOGY STREAM .

THE TECHNOLOGY STREAM Part II: Elliptic Curve Cryptosystems .

Elliptic Curve Cryptosystems • • • • EC discrete logarithm problem Domain parameters Key pairs Cryptographic schemes THE TECHNOLOGY STREAM .

this is believed to take exponential time – O(sqrt(r)) time.EC Discrete Logarithm Problem • Problem: Given two points W. find s such that W = sG – first suggested by Miller 1985. G. Koblitz 1987 THE TECHNOLOGY STREAM • With appropriate cryptographic restrictions. where r is the order of W .

EC Discrete Logarithm Problem (cont’d) • By comparison. factoring and ordinary discrete logarithms can be solved in subexponential time • ECC thus offers much shorter key sizes than other public-key cryptosystems THE TECHNOLOGY STREAM .

Typical Cryptographic Restrictions • #E(Fq) = kr for large prime r – k is cofactor THE TECHNOLOGY STREAM • GCD (k. r) = 1 • “Anomalous” condition: r ≠ q • MOV condition: r does not divide qi-1 for small i .

Domain Parameters • Common values shared by a group of users from which key pairs may be generated • User or trusted party may generate domain parameters • Anyone may validate domain parameters THE TECHNOLOGY STREAM .

EC Domain Parameters • Finite field Fq • Elliptic curve E(Fq) with cryptographic restrictions • Prime divisor r of #E(Fq) • Cofactor k • Base point G ∈ E(Fq) of order r THE TECHNOLOGY STREAM .

G .Generating EC Domain Parameters 1. k. Generate a point G of order r 4. Select a prime power q 2. Select an elliptic cuve E over Fq with cryptographic restrictions – order #E(Fq) = kr THE TECHNOLOGY STREAM 3. E(Fq). r. Output Fq.

“structure” in curves – less structure = more conservative in assumptions about security THE TECHNOLOGY STREAM .Selecting an Elliptic Curve • Random method • Complex multiplication method • Subfield method • Methods provide tradeoff between speed.

) THE TECHNOLOGY STREAM . If restrictions not met. Count the number of points #E(Fq) 3.Random Method 1. etc. Generate a random curve 2. goto 1 • No structure. but step 2 may be slow • (Schoof 1985.

Generate a curve order n with a small CM discriminant D 2. Lay-Zimmer 1994) THE TECHNOLOGY STREAM . find a curve with n points • Fast. Given D. some structure. goto 1 3.Complex Multiplication Method 1. If restrictions not met. but complex • (Atkin-Morain 1991.

Subfield Method • For q = 2m with m composite 1. goto 1 • Fast. If restrictions not met. Count the number of points 3. but significant structure • (Koblitz) THE TECHNOLOGY STREAM . Apply formula to compute #E(Fq) 4. Generate a curve over a subfield 2.

Compute G = kH 3. Output G THE TECHNOLOGY STREAM . Generate a point H ∈ E(Fq) 2. If G = O.Generating a Point of Order r 1. goto 1 4.

invalid otherwise .Validating EC Domain Parameters 1. Output valid if all checks pass. Check that E is an elliptic curve over Fq with cryptographic restrictions – order #E(Fq) = kr. where r is prime THE TECHNOLOGY STREAM 3. Check that q is a prime power 2. Check that G is a point on E(Fq) of order r 4.

private values with which users may perform cryptographic operations • User or trusted third party may generate key pair • Anyone may validate public key THE TECHNOLOGY STREAM .Key Pairs • Pairs of public.

r-1] – where W = sG THE TECHNOLOGY STREAM .EC Key Pairs • Public key W ∈ E(Fq) • Private key s ∈ [1.

s) THE TECHNOLOGY STREAM . n-1] 2.Generating an EC Key Pair 1. Output (W. Compute W = sG 3. Randomly generate s ∈ [1.

Validating an EC Public Key • Assume valid domain parameters 1. Output valid if so. invalid otherwise THE TECHNOLOGY STREAM . Check that W is a point on E(Fq) of order r 2.

Cryptographic Schemes • Following general model from IEEE P1363. a scheme is a set of related operations providing the building blocks for a protocol • Examples: – key agreement – signature with appendix – encryption THE TECHNOLOGY STREAM .

Scheme Operations • Depending on the scheme. public-key validation – one or more scheme-specific operations THE TECHNOLOGY STREAM . related operations may include: – domain parameter generation. validation – key pair generation.

**Key Agreement Scheme
**

• Key agreement operation derives a shared secret key from a private key, another’s public key, and key derivation parameters • Multiple secret keys can be obtained by varying parameters

THE TECHNOLOGY STREAM

**Elliptic Curve DiffieHellman
**

• Key agreement scheme based on Diffie-Hellman protocol • In IEEE P1363, ECKAS-DH1 with ECSDVP-DH primitive • Underlying function:

– KDF: key derivation function

THE TECHNOLOGY STREAM

**ECDH Key Agreement
**

• Input: private key s, other’s public key W*, key derivation parameters P • Output: shared secret key K 1. Compute Z = sW* 2. Compute K = KDF (Z, P) 3. Output K

THE TECHNOLOGY STREAM

or a combination. authenticated. depending on security goals • Examples of protocol modes: – anonymous – static-static – signed ephemeral-ephemeral – ephemeral-static THE TECHNOLOGY STREAM .Key Agreement Modes • Each key pair may be ephemeral.

Signature Scheme • Signature generation operation computes a signature on a message with a private key • Signature verification operation verifies a signature with a public key THE TECHNOLOGY STREAM .

Elliptic Curve Digital Signature Algorithm • Signature scheme based on NIST FIPS 186-1 DSA • In IEEE P1363. ECSSA with ECSP/VP-DSA primitives • Underlying function – Hash: collision-resistant hash function THE TECHNOLOGY STREAM .

If c = 0 or d = 0.ECDSA Signature Generation • Input: private key s.d) 1. message M • Output: signature (c. goto 2 6. Compute d = u-1 (f + sc) mod r 5. Generate a one-time key pair (u.d) THE TECHNOLOGY STREAM . Output (c. Compute c = int (xV) mod r 4. Compute f = Hash (M) 2. V) 3.

Compute P = fhG + chW (cont’d) THE TECHNOLOGY STREAM . signature (c.d) • Output: valid or invalid 1.ECDSA Signature Verification • Input: signer’s public key W. message M. Compute f = Hash (M) 2. Compute h = d-1 mod r 4. Check that 1 ≤ c.d ≤ r-1 3.

output valid. If all checks pass. Check that c = int (xP) mod r 7. Check that P ≠ O 6. otherwise output invalid THE TECHNOLOGY STREAM .ECDSA Signature Verification (cont’d) 5.

Encryption Scheme • Encryption operation computes a ciphertext from a message with a public key • Decryption operation recovers a message from a ciphertext with a private key • Augmented encryption scheme also binds control information to message THE TECHNOLOGY STREAM .

Elliptic Curve Augmented Encryption Scheme • Augmented encryption scheme based on DHAES (Bellare-Rogaway 1998) • In ANSI X9.63 draft • Underlying functions: – KDF: key derivation function – Encrypt: symmetric encryption – MAC: message authentication code THE TECHNOLOGY STREAM .

ECAES Encryption • Input: recipient’s public key W. Compute (K1.K2) = KDF (Z) (cont’d) THE TECHNOLOGY STREAM .V) 2.C. message M. Compute Z = uW 3. Generate a one-time key pair (u.T) 1. control information P • Output: ciphertext (V.

C || P) 6. Compute T = MAC (K2. Compute C = Encrypt (K1.T) Note: Steps 1–3 are like ECDH ephemeral-static THE TECHNOLOGY STREAM .M) 5.ECAES Encryption (cont’d) 4.C. Output (V.

K2) = KDF (Z) (cont’d) THE TECHNOLOGY STREAM .C. control information P Output: message M or invalid 1.ECAES Decryption Input: private key s. Compute Z = sV 2. Compute (K1. ciphertext (V.T).

Check that T = MAC (K2.C) 4. otherwise output invalid THE TECHNOLOGY STREAM . Compute M = Decrypt (K1.C || P) 5.ECAES Decryption (cont’d) 3. output M. If the check passes.

only one or two steps are EC operations. MAC – the additional operations help provide provable security THE TECHNOLOGY STREAM • Schemes are readily adapated to multiplicative groups .Some Observations • In these schemes. Encrypt. some are modular arithmetic. the rest are Hash. KDF.

THE TECHNOLOGY STREAM Part III: Advantages and Disadvantages .

Advantages and Disadvantages • • • • Three families Key size comparison Advantages Disadvantages THE TECHNOLOGY STREAM .

Three Families • Today. named according to the hard problem: – DL: (ordinary) discrete logarithms – EC: elliptic curve discrete logarithms – IF: integer factorization THE TECHNOLOGY STREAM • Each has its own advantages . three families of public-key techniques are prominent • Following P1363.

Key Size Comparison • Key size is length in bits of: – DL: field order q • also consider group order r THE TECHNOLOGY STREAM – EC: group order r – IF: modulus n • Key sizes can be compared based on running time for solving hard problem with current methods – other factors to consider .

IF 512 1024 2048 Symmetric 56 80 112 THE TECHNOLOGY STREAM .Comparable Key Sizes (Based on Running Time) EC 112 160 224 DL.

Advantages • • • • • Alternative hard problem Speed Data size New types of schemes Many options THE TECHNOLOGY STREAM .

IF hard problems – does not appear feasible to apply DL.Alternative Hard Problem • EC Discrete Logarithm Problem is very different than DL. it is an effective alternative against advances in methods for other problems . IF approaches to solve it THE TECHNOLOGY STREAM • Thus.

IF counterparts at comparable key sizes – GF(2m) arithmetic affords further speedups THE TECHNOLOGY STREAM • Key pair generation is much faster than for IF .Speed • EC operations are generally faster than DL.

shorter than IF .Data Size • EC data are shorter than DL. IF counterparts • Intermediate values are shorter • Keys are shorter – benefit depends on certificate content THE TECHNOLOGY STREAM • Signatures with appendix are same size as for DL.

Vanstone) THE TECHNOLOGY STREAM . e.: – signature + encryption – signature / key agreement + certification – (Zheng 1997. like DL. has great flexibility due to the availability of common domain parameters • Multiple schemes can be combined efficiently.g. Arazi 1998.New Types of Schemes • EC family.

representation – curve formula – group order – base point – cryptographic scheme THE TECHNOLOGY STREAM • Appropriate choices can meet varying security and implementation objectives . size.Many Options • EC family affords many choices: – field type.

Disadvantages • Alternative hard problem • Curve generation • Many options THE TECHNOLOGY STREAM .

Alternative Hard Problem • ECDLP has not been studied as long as DL. the focus on this area has grown considerably over the past few years. IF hard problems. with increased confidence THE TECHNOLOGY STREAM . and even a modest improvement in methods could have great impact • However.

NIST curves THE TECHNOLOGY STREAM .. implementers can rely on third parties for curves. which can be validated – e. not readily implemented • However.Curve Generation • EC curve generation is complex.g.

much of this will be settled by standards and industry practice .Many Options • ECC affords many options. GF(p) – hardware optimizations may be specific to one set of domain parameters THE TECHNOLOGY STREAM • However. so interoperability is challenging: – no conversion between GF(2m).

THE TECHNOLOGY STREAM Part IV: Standardization Efforts .

all three families are being developed together .S. NIST THE TECHNOLOGY STREAM • Generally.Standardization Efforts • Elliptic curves are parts of standards being developed by several groups: – ANSI X9F1 – IEEE P1363 – ISO JTC1 SC27 – SECG – U.

org THE TECHNOLOGY STREAM . ECAES and more • Technical Guideline on elliptic curve mathematics • www.62 specifies ECDSA • ANSI X9.S. financial services industry • ANSI X9.ANSI X9F1 • Cryptographic techniques for U.x9.63 (draft) specifies ECDH.

ECDSA and much more (including other families) – framework for ANSI X9F1 work THE TECHNOLOGY STREAM • ECAES proposed for addendum • grouper. transnational • Specifies ECDH.ieee.IEEE P1363 • Public-key cryptography specifications.org/groups/1363 .

iso.ch/meme/JTC1SC27. key establishment • www. international • ISO/IEC DIS 14888-3 includes ECDSA – aligned with ANSI X9.ISO SC27 • IT security techniques.html .62 THE TECHNOLOGY STREAM • ISO/IEC CD 15946 covers elliptic curve techniques including digital signatures.

org THE TECHNOLOGY STREAM .SECG • Standards for Efficient Cryptography Group • Industry implementers agreements.secg. intended to profile other standards • www.

government • FIPS 186 (Digital Signature Standard) to add support for ANSI X9.63 support likely • Reference elliptic curves published • csrc.S.62 • Eventual ANSI X9.gov/fips THE TECHNOLOGY STREAM .U.S. NIST • Information processing for U.nist.

THE TECHNOLOGY STREAM Summary .

Summary • ECC offers an attractive alternative to other public-key cryptosystems – new hard problem – smaller key size THE TECHNOLOGY STREAM • Many standards are emerging • Number theory continues to be useful .