## Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

**Elliptic Curve Cryptography
**

Burt Kaliski Chief Scientist and Director RSA Laboratories

Outline

I. Elliptic curves II. Elliptic curve cryptosystems III. Advantages and disadvantages IV. Standardization efforts

THE TECHNOLOGY STREAM

Notation

• GF(q) or Fq: finite field with q elements

– typically, q = p where p is prime, or 2m

THE TECHNOLOGY STREAM

• E(Fq): elliptic curve over Fq • (x, y): point on E(Fq) • O: point at infinity

Acronyms • EC = Elliptic Curve – as in EC Digital Signature Algorithm THE TECHNOLOGY STREAM • ECC = Elliptic Curve Cryptography .

THE TECHNOLOGY STREAM Part I: Elliptic Curves .

Elliptic Curves • An elliptic curve is the set of solutions (x. y) to an equation of the form y2 = x3 + ax + b where 4a3 + 27b2 ≠ 0. together with a point at infinity denoted O • Originally developed to measure circumference of an ellipse THE TECHNOLOGY STREAM .

An Example Curve • Over the reals. the solutions form a curve with one or two components • Example: y2 = x3-x THE TECHNOLOGY STREAM .

Elliptic Curve Arithmetic • A group law may be defined where the sum of two points is the reflection across the x-axis of the third point on the same line • “Chords and tangents” THE TECHNOLOGY STREAM .

y) + (x.Group Law Axioms • Closure • Identity: P+O=O+P=P • Inverse: (x. -y) = O • Associativity • Commutativity THE TECHNOLOGY STREAM .

x3) .x1 .y1 and λ is the slope of the line: λ = (3x12+a)/2y1 if x1 = x2 λ = (y2-y1)/(x2-x1) otherwise .x2 y3 = λ (x1 . y3) where x3 = λ 2 THE TECHNOLOGY STREAM . y1) and P2 = (x2. y2) be noninverses • Then P1 + P2 = (x3.Addition Formulae • Let P1 = (x1.

the curve has a different form: y2 + xy = x3 + ax2 + b where b ≠ 0 • Addition formulae are similar to those over the reals THE TECHNOLOGY STREAM .Elliptic Curves over Finite Fields • An elliptic curve may be defined over any finite field GF(q) • For GF(2m).

where |t| ≤ 2 sqrt(q) • The group of points is either cyclic or a product of two cyclic groups THE TECHNOLOGY STREAM . including O • Hasse bound: #E(Fq) = q+1-t.Group Properties • Let #E(Fq) denote the number of points on an elliptic curve E(Fq).

Scalar Multiplication • Scalar multiplication is repeated group addition: cP = P + ··· + P (c times) where c is an integer • For all P ∈ E(Fq). nP = O where n = #E(Fq) THE TECHNOLOGY STREAM .

Efficient curve generation 3.Elliptic Curve Research Areas • EC over finite fields has been an increasing focus of research 1. Cryptographic properties . Efficient elliptic curve arithmetic. scalar multiplication – including finite field arithmetic THE TECHNOLOGY STREAM 2.

Some Interesting Applications • Factoring (Lenstra 1985) – running time of Elliptic Curve Method (ECM) depends on size of prime factors of a number. ideal for “smooth” numbers THE TECHNOLOGY STREAM • Primality proving (Goldwasser-Kilian 1986) – under number-theory assumptions. method for proving primality in random polynomial time • Fermat’s Last Theorem .

Analogy with Multiplicative Groups Elliptic Curve Group point addition scalar multiplication elliptic curve discrete logarithm Multiplicative Group multiplication exponentiation discrete logarithm THE TECHNOLOGY STREAM .

THE TECHNOLOGY STREAM Part II: Elliptic Curve Cryptosystems .

Elliptic Curve Cryptosystems • • • • EC discrete logarithm problem Domain parameters Key pairs Cryptographic schemes THE TECHNOLOGY STREAM .

G. Koblitz 1987 THE TECHNOLOGY STREAM • With appropriate cryptographic restrictions.EC Discrete Logarithm Problem • Problem: Given two points W. where r is the order of W . this is believed to take exponential time – O(sqrt(r)) time. find s such that W = sG – first suggested by Miller 1985.

EC Discrete Logarithm Problem (cont’d) • By comparison. factoring and ordinary discrete logarithms can be solved in subexponential time • ECC thus offers much shorter key sizes than other public-key cryptosystems THE TECHNOLOGY STREAM .

Typical Cryptographic Restrictions • #E(Fq) = kr for large prime r – k is cofactor THE TECHNOLOGY STREAM • GCD (k. r) = 1 • “Anomalous” condition: r ≠ q • MOV condition: r does not divide qi-1 for small i .

Domain Parameters • Common values shared by a group of users from which key pairs may be generated • User or trusted party may generate domain parameters • Anyone may validate domain parameters THE TECHNOLOGY STREAM .

EC Domain Parameters • Finite field Fq • Elliptic curve E(Fq) with cryptographic restrictions • Prime divisor r of #E(Fq) • Cofactor k • Base point G ∈ E(Fq) of order r THE TECHNOLOGY STREAM .

G . Select a prime power q 2. Output Fq. Generate a point G of order r 4. Select an elliptic cuve E over Fq with cryptographic restrictions – order #E(Fq) = kr THE TECHNOLOGY STREAM 3. E(Fq).Generating EC Domain Parameters 1. r. k.

“structure” in curves – less structure = more conservative in assumptions about security THE TECHNOLOGY STREAM .Selecting an Elliptic Curve • Random method • Complex multiplication method • Subfield method • Methods provide tradeoff between speed.

Random Method 1. Generate a random curve 2. but step 2 may be slow • (Schoof 1985. Count the number of points #E(Fq) 3. If restrictions not met. goto 1 • No structure.) THE TECHNOLOGY STREAM . etc.

Generate a curve order n with a small CM discriminant D 2. Given D. Lay-Zimmer 1994) THE TECHNOLOGY STREAM . some structure. find a curve with n points • Fast. If restrictions not met. but complex • (Atkin-Morain 1991.Complex Multiplication Method 1. goto 1 3.

Apply formula to compute #E(Fq) 4.Subfield Method • For q = 2m with m composite 1. Generate a curve over a subfield 2. If restrictions not met. but significant structure • (Koblitz) THE TECHNOLOGY STREAM . goto 1 • Fast. Count the number of points 3.

If G = O. Generate a point H ∈ E(Fq) 2. Compute G = kH 3. goto 1 4.Generating a Point of Order r 1. Output G THE TECHNOLOGY STREAM .

invalid otherwise . Output valid if all checks pass. Check that E is an elliptic curve over Fq with cryptographic restrictions – order #E(Fq) = kr. where r is prime THE TECHNOLOGY STREAM 3. Check that q is a prime power 2.Validating EC Domain Parameters 1. Check that G is a point on E(Fq) of order r 4.

Key Pairs • Pairs of public. private values with which users may perform cryptographic operations • User or trusted third party may generate key pair • Anyone may validate public key THE TECHNOLOGY STREAM .

r-1] – where W = sG THE TECHNOLOGY STREAM .EC Key Pairs • Public key W ∈ E(Fq) • Private key s ∈ [1.

n-1] 2. Output (W. Randomly generate s ∈ [1.Generating an EC Key Pair 1. Compute W = sG 3. s) THE TECHNOLOGY STREAM .

Output valid if so. Check that W is a point on E(Fq) of order r 2. invalid otherwise THE TECHNOLOGY STREAM .Validating an EC Public Key • Assume valid domain parameters 1.

a scheme is a set of related operations providing the building blocks for a protocol • Examples: – key agreement – signature with appendix – encryption THE TECHNOLOGY STREAM .Cryptographic Schemes • Following general model from IEEE P1363.

related operations may include: – domain parameter generation. validation – key pair generation.Scheme Operations • Depending on the scheme. public-key validation – one or more scheme-specific operations THE TECHNOLOGY STREAM .

**Key Agreement Scheme
**

• Key agreement operation derives a shared secret key from a private key, another’s public key, and key derivation parameters • Multiple secret keys can be obtained by varying parameters

THE TECHNOLOGY STREAM

**Elliptic Curve DiffieHellman
**

• Key agreement scheme based on Diffie-Hellman protocol • In IEEE P1363, ECKAS-DH1 with ECSDVP-DH primitive • Underlying function:

– KDF: key derivation function

THE TECHNOLOGY STREAM

**ECDH Key Agreement
**

• Input: private key s, other’s public key W*, key derivation parameters P • Output: shared secret key K 1. Compute Z = sW* 2. Compute K = KDF (Z, P) 3. Output K

THE TECHNOLOGY STREAM

authenticated. depending on security goals • Examples of protocol modes: – anonymous – static-static – signed ephemeral-ephemeral – ephemeral-static THE TECHNOLOGY STREAM .Key Agreement Modes • Each key pair may be ephemeral. or a combination.

Signature Scheme • Signature generation operation computes a signature on a message with a private key • Signature verification operation verifies a signature with a public key THE TECHNOLOGY STREAM .

Elliptic Curve Digital Signature Algorithm • Signature scheme based on NIST FIPS 186-1 DSA • In IEEE P1363. ECSSA with ECSP/VP-DSA primitives • Underlying function – Hash: collision-resistant hash function THE TECHNOLOGY STREAM .

Compute c = int (xV) mod r 4. message M • Output: signature (c. goto 2 6. Generate a one-time key pair (u. If c = 0 or d = 0. Compute f = Hash (M) 2. Compute d = u-1 (f + sc) mod r 5.d) THE TECHNOLOGY STREAM .d) 1. V) 3. Output (c.ECDSA Signature Generation • Input: private key s.

d) • Output: valid or invalid 1. Compute h = d-1 mod r 4. Compute f = Hash (M) 2. Check that 1 ≤ c. signature (c. Compute P = fhG + chW (cont’d) THE TECHNOLOGY STREAM .d ≤ r-1 3. message M.ECDSA Signature Verification • Input: signer’s public key W.

otherwise output invalid THE TECHNOLOGY STREAM . Check that P ≠ O 6.ECDSA Signature Verification (cont’d) 5. Check that c = int (xP) mod r 7. If all checks pass. output valid.

Encryption Scheme • Encryption operation computes a ciphertext from a message with a public key • Decryption operation recovers a message from a ciphertext with a private key • Augmented encryption scheme also binds control information to message THE TECHNOLOGY STREAM .

Elliptic Curve Augmented Encryption Scheme • Augmented encryption scheme based on DHAES (Bellare-Rogaway 1998) • In ANSI X9.63 draft • Underlying functions: – KDF: key derivation function – Encrypt: symmetric encryption – MAC: message authentication code THE TECHNOLOGY STREAM .

control information P • Output: ciphertext (V.C. Compute (K1. message M.ECAES Encryption • Input: recipient’s public key W. Generate a one-time key pair (u.V) 2. Compute Z = uW 3.T) 1.K2) = KDF (Z) (cont’d) THE TECHNOLOGY STREAM .

C || P) 6.M) 5. Output (V. Compute C = Encrypt (K1.ECAES Encryption (cont’d) 4.C.T) Note: Steps 1–3 are like ECDH ephemeral-static THE TECHNOLOGY STREAM . Compute T = MAC (K2.

Compute (K1.C.ECAES Decryption Input: private key s. control information P Output: message M or invalid 1.T). Compute Z = sV 2. ciphertext (V.K2) = KDF (Z) (cont’d) THE TECHNOLOGY STREAM .

ECAES Decryption (cont’d) 3. otherwise output invalid THE TECHNOLOGY STREAM . output M. If the check passes. Compute M = Decrypt (K1.C) 4. Check that T = MAC (K2.C || P) 5.

KDF. Encrypt. MAC – the additional operations help provide provable security THE TECHNOLOGY STREAM • Schemes are readily adapated to multiplicative groups . some are modular arithmetic. only one or two steps are EC operations. the rest are Hash.Some Observations • In these schemes.

THE TECHNOLOGY STREAM Part III: Advantages and Disadvantages .

Advantages and Disadvantages • • • • Three families Key size comparison Advantages Disadvantages THE TECHNOLOGY STREAM .

Three Families • Today. three families of public-key techniques are prominent • Following P1363. named according to the hard problem: – DL: (ordinary) discrete logarithms – EC: elliptic curve discrete logarithms – IF: integer factorization THE TECHNOLOGY STREAM • Each has its own advantages .

Key Size Comparison • Key size is length in bits of: – DL: field order q • also consider group order r THE TECHNOLOGY STREAM – EC: group order r – IF: modulus n • Key sizes can be compared based on running time for solving hard problem with current methods – other factors to consider .

IF 512 1024 2048 Symmetric 56 80 112 THE TECHNOLOGY STREAM .Comparable Key Sizes (Based on Running Time) EC 112 160 224 DL.

Advantages • • • • • Alternative hard problem Speed Data size New types of schemes Many options THE TECHNOLOGY STREAM .

it is an effective alternative against advances in methods for other problems .Alternative Hard Problem • EC Discrete Logarithm Problem is very different than DL. IF approaches to solve it THE TECHNOLOGY STREAM • Thus. IF hard problems – does not appear feasible to apply DL.

Speed • EC operations are generally faster than DL. IF counterparts at comparable key sizes – GF(2m) arithmetic affords further speedups THE TECHNOLOGY STREAM • Key pair generation is much faster than for IF .

Data Size • EC data are shorter than DL. IF counterparts • Intermediate values are shorter • Keys are shorter – benefit depends on certificate content THE TECHNOLOGY STREAM • Signatures with appendix are same size as for DL. shorter than IF .

: – signature + encryption – signature / key agreement + certification – (Zheng 1997.g. Arazi 1998. Vanstone) THE TECHNOLOGY STREAM . e. like DL.New Types of Schemes • EC family. has great flexibility due to the availability of common domain parameters • Multiple schemes can be combined efficiently.

Many Options • EC family affords many choices: – field type. size. representation – curve formula – group order – base point – cryptographic scheme THE TECHNOLOGY STREAM • Appropriate choices can meet varying security and implementation objectives .

Disadvantages • Alternative hard problem • Curve generation • Many options THE TECHNOLOGY STREAM .

with increased confidence THE TECHNOLOGY STREAM . and even a modest improvement in methods could have great impact • However. the focus on this area has grown considerably over the past few years.Alternative Hard Problem • ECDLP has not been studied as long as DL. IF hard problems.

NIST curves THE TECHNOLOGY STREAM .Curve Generation • EC curve generation is complex. not readily implemented • However. which can be validated – e.g. implementers can rely on third parties for curves..

Many Options • ECC affords many options. much of this will be settled by standards and industry practice . so interoperability is challenging: – no conversion between GF(2m). GF(p) – hardware optimizations may be specific to one set of domain parameters THE TECHNOLOGY STREAM • However.

THE TECHNOLOGY STREAM Part IV: Standardization Efforts .

NIST THE TECHNOLOGY STREAM • Generally. all three families are being developed together .Standardization Efforts • Elliptic curves are parts of standards being developed by several groups: – ANSI X9F1 – IEEE P1363 – ISO JTC1 SC27 – SECG – U.S.

financial services industry • ANSI X9.63 (draft) specifies ECDH.62 specifies ECDSA • ANSI X9.x9.org THE TECHNOLOGY STREAM .S. ECAES and more • Technical Guideline on elliptic curve mathematics • www.ANSI X9F1 • Cryptographic techniques for U.

ieee.IEEE P1363 • Public-key cryptography specifications. transnational • Specifies ECDH.org/groups/1363 . ECDSA and much more (including other families) – framework for ANSI X9F1 work THE TECHNOLOGY STREAM • ECAES proposed for addendum • grouper.

ISO SC27 • IT security techniques.ch/meme/JTC1SC27.html .62 THE TECHNOLOGY STREAM • ISO/IEC CD 15946 covers elliptic curve techniques including digital signatures. key establishment • www. international • ISO/IEC DIS 14888-3 includes ECDSA – aligned with ANSI X9.iso.

secg.SECG • Standards for Efficient Cryptography Group • Industry implementers agreements.org THE TECHNOLOGY STREAM . intended to profile other standards • www.

S.63 support likely • Reference elliptic curves published • csrc.S.nist. NIST • Information processing for U.62 • Eventual ANSI X9.gov/fips THE TECHNOLOGY STREAM . government • FIPS 186 (Digital Signature Standard) to add support for ANSI X9.U.

THE TECHNOLOGY STREAM Summary .

Summary • ECC offers an attractive alternative to other public-key cryptosystems – new hard problem – smaller key size THE TECHNOLOGY STREAM • Many standards are emerging • Number theory continues to be useful .

- n 33066069
- Performance Analysis of Cryptographic Algorithms Like ElGamal, RSA, and ECC for Routing Protocols in Distributed Sensor Networks
- digital certificate and signature.ppt
- MuleSoft Document
- TUKE_DP_Petrvalsky_2012
- 4901 paper 2
- Digital Signature and Advanced Encryption Standard for Enhancing Data.pdf
- WRES3301 Assignment
- 10. Case Study Digital Signature
- Efficient Implementation of Elliptic Curve Cryptography Using Low-power Digital Signal Processor
- iosrjournals.org
- An Impeccable Key Aggregate Framework with Adaptable Offering of Information in Cloud
- Secure Cloud Environment Using RSA Algorithm
- Smart Card Technology
- So a Book Extract
- An authentication framework for wireless sensor networks using Signature Based Algorithm
- SIL 765 Assignment 2
- CISSP revision notes - Google Docs
- Cryptography - lecture14
- TeamViewer_SecurityStatement
- Best Practices in Encryption Key Management
- Waste Design
- Network Security
- mahesh
- Digital Signature
- Zhang 2014
- DataSec1_v1
- Assignment 2- Part 2- Cryptography
- design of EPS
- Obtain a Digital Certificate to Create a Digital Signature

Skip carousel

- Privacy Preserving Authentication Scheme for VANET's Using HMAC Algorithm
- Network Security & Cryptography MCQ'S
- A Novel Image Transmission Technique via MIS using an Advanced AES Algorithm with Chaotic map for Enhanced Security
- As 2805.6.1.1-2009 Electronic Funds Transfer - Requirements for Interfaces Key Management - Principles
- As 2805.5.1-1992 Electronic Funds Transfer - Requirements for Interfaces Ciphers - Data Encipherment Algorith
- Computationally Efficient ID-Based Blind Signature Scheme in E-Voting
- Surreptitiously Weakening Cryptographic Systems
- A Survey On Achieving Cloud Data Sharing Using Key Aggregate Searchable Encryption
- A Study on Statistical Analysis and Security Evaluation Parameters in Image Encryption
- Review on variants of Security aware AODV
- lavabit-aclu-amicus-13-1024.pdf
- A Robust Cryptographic System using Neighborhood-Generated Keys
- Attribute-Based Encryption for Access of Secured Data in Cloud Storage
- An Efficient Approach for Securing Broker-Less Publish-Subscribe System Using Identity-Based Encryption Scheme
- The Security and Efficiency in Attribute-Based Data Sharing
- Development and Analysis of High Data Rate Quality based Secured AODV-RC4 and AODV-RSA WSNs
- Enhancement of DES Algorithm with Multi State Logic
- As 2805.6.5.2-2000 Electronic Funds Transfer - Requirements for Interfaces Key Management - TCU Initializatio
- Two servers Password Authentication with Results
- A Study of SAAS Model for Security System
- New Security Primitive Using CAPTCHA as Graphical Password against Spyware
- An Enhanced Image Cryptographic Method Based On AES Rijndael Algorithm
- As 2805.6.1.4-2009 Electronic Funds Transfer - Requirements for Interfaces Key Management - Asymmetric Crypto
- A Symmetric Key Generation for File Encryption and Protection using/by USB Storage Device
- Trapdoor Reduction on Sharing Group Data in Cloud using Aggregation Key Scheme
- DIFFIE-HELLMAN KEY EXCHANGE TECHNIQUE AND VIDEO STEGANOGRAPHY BASED ON LSB
- Development and Analysis of High Data Rate Quality based Secured AODV-RC4 and AODV-RSA WSNs
- A Survey and Analysis Performance of Generating Key in Cryptography
- Study of Symmetric Key Network Security Algorithms
- As NZS ISO IEC 11770.3-2008 Information Technology - Security Techniques - Key Management Mechanisms Using As

Skip carousel

- Blockchain Technology and Applications from a Financial Perspective
- As ISO 17090.1-2003 Health Informatics - Public Key Infrastructure Framework and Overview
- As 4539.1.2.1-2001 Information Technology - Public Key Authentication Framework (PKAF) General - X.509 Certif
- UT Dallas Syllabus for cs6377.001.09s taught by Murat Kantarcioglu (mxk055100)
- Network Signatures v. Tyson Foods
- As 4539.1.1-2002 Information Technology - Public Key Authentication Framework (PKAF) Related Standards Genera
- Computationally Efficient ID-Based Blind Signature Scheme in E-Voting
- A Survey of Source Authentication Schemes for Multicast transfer in Adhoc Network
- Review on variants of Security aware AODV
- lavabit-aclu-amicus-13-1024.pdf
- A Robust Cryptographic System using Neighborhood-Generated Keys
- Network Signatures v. ConocoPhillips Company
- An Efficient Approach for Securing Broker-Less Publish-Subscribe System Using Identity-Based Encryption Scheme
- The Security and Efficiency in Attribute-Based Data Sharing
- Analysis of VoIP Forensics with Digital Evidence Procedure
- How Apple Can Read Your iMessages and How You Can Prevent It - QuarksLab Report
- Two servers Password Authentication with Results
- Federal Reserve on Fintech
- As ISO 17090.2-2003 Health Informatics - Public Key Infrastructure Certificate Profile
- As 2805.6.1.4-2009 Electronic Funds Transfer - Requirements for Interfaces Key Management - Asymmetric Crypto
- A Symmetric Key Generation for File Encryption and Protection using/by USB Storage Device
- DIFFIE-HELLMAN KEY EXCHANGE TECHNIQUE AND VIDEO STEGANOGRAPHY BASED ON LSB
- A Survey and Analysis Performance of Generating Key in Cryptography
- As NZS ISO IEC 11770.3-2008 Information Technology - Security Techniques - Key Management Mechanisms Using As
- Network Signatures v. Comcast
- As ISO 17090.3-2003 Health Informatics - Public Key Infrastructure Policy Management of Certification Authori
- HYBRID APPROACH FOR SECURE DATA COMMUNICATION FOR DECENTALIZED DISRUPTION-TOLERANT MILITARY NETWORKS
- lavabit-eff-amicus-13-1024.pdf
- Encryption Policy for the 21st Century
- Bitfury White Paper on Blockchain Auditability

Sign up to vote on this title

UsefulNot usefulClose Dialog## Are you sure?

This action might not be possible to undo. Are you sure you want to continue?

Close Dialog## This title now requires a credit

Use one of your book credits to continue reading from where you left off, or restart the preview.

Loading