cyclic group cryptography with elliptic curvesweb.lapinamk.fi/jouko.teeriaho/brasov.pdf ·...
TRANSCRIPT
Jouko Teeriaho
Rovaniemi University of Applied Sciences
Rovaniemi, Finland
Cyclic group cryptography with Elliptic Curves
Brasov, May 2011
1. Background
◼ Functions of a hybrid cryptosystem
A typical cryptosystem is a hybrid. It utilizes several encryption algorithms:
1. Public key algorithm is used for authentication ( standard = RSA)
2. Public key algorithm is used for key exchange ( RSA key exchange or Diffie Hellman)
3. Fast block cipher is used for data transmission ( standard = AES )
4. Digital signature uses public key algorithn ( sha1RSA or sometimes DSA)
◼ Peoblems with RSA and DLP based cryptosystems
The table below is from Finnish governement encryption recommendation from 2008.
It shows how RSA security and DH key exchange require increasingly large key lengths.
This may lead to performance and capacity problems for example in smart cards.
may capacity
Elliptic Curve Cryptography can answer this problem.
2. Basic concepts
◼ Groups
A set G together with an operation * defined in G, is called a group if
G1 a*b ∈ G for all a, b ϵ G
G2 a*(b*c) = (a*b)*c for all a,b,c in G
G3 There exists e ∈ G with property a*e = e*a = a for all a ∈ G
(e = "neutral element")
G4 For every a ∈ G , there exists a-1∈ G with property a*a-1=a-1*a = e
( inverse element)
◼ Abelian groups
If a*b = b*a for all a*b ∈ G , G is called an "Abelian group"
2 brasov.nb
◼ Finite groups
Let n = #G = number of elements in G . Then
gn = e for all g ∈ G
◼ Subgroups
A subset H of a group G , where H is self a group, is called a subgroup of G
◼ Lagrange's theorem
The number of elements of a subgroup H of a finite group G divides the number of elements of G
# H = #G / d for some integer d
◼ Cyclic groups
A finite group G of n elementsis cyclic , if there exist an element ( or elements) g ∈ G with
{ g, g2, ... , gn = e} = G
Element g is called a "generator" of G
◻ Order of an element
The subgroup generated by element a is denoted by <a>.
Its size is called order of a, Ord(a)
For generators of G, Ord(g) = #G (size of G)
◼ Multiplicative group Zp*
In classical cyclic group gryptography we usually use multiplicative group Zp* , where p is prime.
Zp*
= { 1, 2, .... , p - 1} combined with multiplication of integers mod p
brasov.nb 3
◻ Example. Multiplication table of Z13* = {1,2,..., 12}
Table[Mod[a * b, 13], {a, 1, 12}, {b, 1, 12}]
1 2 3 4 5 6 7 8 9 10 11 122 4 6 8 10 12 1 3 5 7 9 113 6 9 12 2 5 8 11 1 4 7 104 8 12 3 7 11 2 6 10 1 5 95 10 2 7 12 4 9 1 6 11 3 86 12 5 11 4 10 3 9 2 8 1 77 1 8 2 9 3 10 4 11 5 12 68 3 11 6 1 9 4 12 7 2 10 59 5 1 10 6 2 11 7 3 12 8 410 7 4 1 11 8 5 2 12 9 6 311 9 7 5 3 1 12 10 8 6 4 212 11 10 9 8 7 6 5 4 3 2 1
It is easily seen, that this is an Abelian group:
G3. Neutral element = 1.
G4. Every element has an inverse element.
Multiplication is commutative.
◻ Example. Z13* is cyclic, which is seen from the following table of powers of elements.
TableModab, 13, {a, 1, 12}, {b, 1, 12}
1 1 1 1 1 1 1 1 1 1 1 12 4 8 3 6 12 11 9 5 10 7 13 9 1 3 9 1 3 9 1 3 9 14 3 12 9 10 1 4 3 12 9 10 15 12 8 1 5 12 8 1 5 12 8 16 10 8 9 2 12 7 3 5 4 11 17 10 5 9 11 12 6 3 8 4 2 18 12 5 1 8 12 5 1 8 12 5 19 3 1 9 3 1 9 3 1 9 3 110 9 12 3 4 1 10 9 12 3 4 111 4 5 3 7 12 2 9 8 10 6 112 1 12 1 12 1 12 1 12 1 12 1
◻ Observations
#Z13* = 12.
- For all elements a12 mod 13 = 1
- Elements 2, 6, 7, and 11 are generators.
- Elements 4, 10 generate subgroups of 6 elements
- Elements 5, 8 generate subgroups of 4 elements
- Elements 3 and 9 generate subgroups of 3 elements
- Element 12 generates subgroup of 2 elements
- Element 1 generates a subgroup of 1 element
4 brasov.nb
It can be proved:
For each divisor d of #G, there exists φ(d) subgroups of size d.
φ(n) = Euler's totient function.
◼ Fields
A set F with two group operations + and * is called a field, if
* Additive zero element is not in the multiplicative group and
* Distributive laws hold: a*(b+c) = a*b + a*c and (b+c)*a = b*a + c*a
◻ Fp ={0,1,....,p-1} with addition and multiplication modulo p is a finite field.
3. Traditional cyclic group cryptography
◼ Diffie Hellman key exchange
DH is a method which can be used to agree of an AES session key in secure protocol
The basis of the system is cyclic group Zp* , where p is prime and its generator g.
Here is how DH key exchange goes.
brasov.nb 5
◼ Elgamal encryption
6 brasov.nb
DH key exchange is used for example in AES encrypted video conferences.
and PGP - software (Pretty Good Privacy).
Minimum modulus size p = 1024.
◻ Mathematica function RandomPrime
Large primes are obtained by generating odd random numbers and testing their primality with a pseuroran-
dom test like Rabin-Miller. These tests are probabilistic, which means that even if an integer passes the test,
it is not a prime with 100 % probability. However we know the lower bound for the probability of its primality.
RandomPrime[{2^1000, 2^1024}]
118138117306825529067095900128963224837509947744454432303142222214635
485245656404688682886111352452128550222545913379191045769917453696810
311417067843900003020171814438449949818574167016523035788854051772840
596367084988922852651243143116899674046911908840844749771516046751381
717908540744532168178349167961747
4. Cyclic groups on Elliptic curves
For a long time mathematicians have known that there exists groups also on curves.
◼ Cyclic groups on Elliptic Curves
In the 1880's Weierstrass explored curves of form
y2 + A xy = x3 + B x2 + C x + D
They are called elliptic curves.
◻ Elliptic curves used in cryptography
By simple coordinate transformations it is possible to reduce the form of elliptic curves to following
y2 = x3 + a x + b
◻ Animation of elliptic curves
Manipulate
ContourPloty2 == x3 - 3 x + b, {x, -3, 5}, {y, -5, 5}, Axes → True, {b, -5, 5}
brasov.nb 7
b
-2 0 2 4
-4
-2
0
2
4
Curves, where the right hand side polynomial has double roots, have no group structure. (see picture below)
-2 0 2 4
-4
-2
0
2
4
◼ Group addition of points of the curve
8 brasov.nb
◼ Existence of a neutral element O and inverse element -P
brasov.nb 9
Neutral element O is a point with y = ∞ , which is added to the curve.
5. ECC implementation with Mathematica
◼ Elliptic curves over finite fields Fq
Elliptic curves can be "discretized" : Curve consists of all points (x,y), where x and y are integers between
1... (q -1) where q is prime. All calculations are done mod q.
10 brasov.nb
In the picture we see the points of a Elliptic curve over field F61.
◼ Addition of two points - Mathematica implementation
Arguments: p = prime modulus
a, b are parameters of the curve y2 = x3 + a x + b
P_list = point P in form { x, y}
Q_list = point Q in form { x, y}
EllipticSum returns the sum P + Q
brasov.nb 11
EllipticSum[p_, a_, b_, P_List, Q_List] :=
Module {λ, x3, y3, P3},
WhichP ⩵ {O}, R = Q,
Q ⩵ {O}, R = P,
P[[1]] ≠ Q[[1]],
λ = ModQ[[2]] - P[[2]] * PowerMod[Q[[1]] - P[[1]], -1, p], p;
x3 = Modλ2 - P[[1]] - Q[[1]], p;
y3 = Mod-λ x3 - P[[1]] + P[[2]], p;
R = {x3, y3},
(P ⩵ Q) (P ≠ {O}),
λ = Mod 3 * P[[1]]2 + a *
PowerMod[2 P[[2]], -1, p], p;
x3 = Modλ2 - 2 P[[1]], p;
y3 = Mod-λ x3 - P[[1]] + P[[2]], p;
R = {x3, y3},
P[[1]] ⩵ Q[[1]] P[[2]] ≠ Q[[2]], R = {O};
R
◻ Example : List all the points on the curve y2 = x3
+ 2 x + 4
q = 61; pts = {};
Forx = 0, x < q, x++,
Fory = 0, y < q, y++,
IfMody2 - x3 + 2 x + 4, q ⩵ 0, pts = Append[pts, {x, y}]
pts = pts⋃ {O}
pts // StandardForm
{O, {0, 2}, {0, 59}, {2, 4}, {2, 57}, {4, 25}, {4, 36}, {6, 7}, {6, 54}, {7, 19}, {7, 42}, {9, 18}, {9, 43}, {10, 29}, {10, 32},
{11, 25}, {11, 36}, {12, 29}, {12, 32}, {16, 17}, {16, 44}, {18, 4}, {18, 57}, {26, 8}, {26, 53}, {28, 28}, {28, 33},
{30, 23}, {30, 38}, {35, 26}, {35, 35}, {38, 28}, {38, 33}, {39, 29}, {39, 32}, {40, 20}, {40, 41}, {41, 4}, {41, 57},
{42, 0}, {46, 25}, {46, 36}, {53, 5}, {53, 56}, {54, 14}, {54, 47}, {55, 9}, {55, 52}, {56, 28}, {56, 33}, {60, 1}, {60, 60}}
The length of this list gives the total number of points of the curve.
Length[pts]
52
◻ Example Calculate (2,4) + (18,57)
EllipticSum[61, 2, 4, {2, 4}, {18, 57}]
{26, 8}
12 brasov.nb
◻ Example2. (2,4) + O adding a zero element
EllipticSum[61, 2, 4, {2, 4}, {O}]
{2, 4}
◼ Fast multiplication nP - Mathematica implementation
This function copies the fast exponention algorithm PowerMod to EC groups.
(11P = 10 P + P = 5*(2P) + P = 4*(2P) + 2P + P = 8P + 2P + P )
Mult[n_, P_, q_, a_, b_] := Module{x, A, B},
x = n; A = P; B = {O};
Whilex > 1,
IfOddQ[x],
B = EllipticSum[q, a, b, A, B];
x = x - 1,
A = EllipticSum[q, a, b, A, A];
x = x 2;
;
;
A = EllipticSum[q, a, b, A, B];
A
◼ Finding a generator point G - example
The curve is y2 = x3 + 2 x + 4.
Points are of form (x, y) , where x and y are elements of Z61We try to find elements with order 52 ( = group size)
◻ Test the order of (26,8)
Table[Mult[i, {26, 8}, 61, 2, 4], {i, 1, 52}] // StandardForm
{{26, 8}, {28, 28}, {46, 36}, {30, 23}, {0, 59}, {55, 9}, {55, 52}, {0, 2}, {30, 38},
{46, 25}, {28, 33}, {26, 53}, {O}, {26, 8}, {28, 28}, {46, 36}, {30, 23}, {0, 59},
{55, 9}, {55, 52}, {0, 2}, {30, 38}, {46, 25}, {28, 33}, {26, 53}, {O}, {26, 8},
{28, 28}, {46, 36}, {30, 23}, {0, 59}, {55, 9}, {55, 52}, {0, 2}, {30, 38},
{46, 25}, {28, 33}, {26, 53}, {O}, {26, 8}, {28, 28}, {46, 36}, {30, 23},
{0, 59}, {55, 9}, {55, 52}, {0, 2}, {30, 38}, {46, 25}, {28, 33}, {26, 53}, {O}}
Subgroup <(26,8)> has only 13 points. Thus (26,8) is not a generator
brasov.nb 13
◻ (2,4) is a generator as shown below
Table[Mult[i, {2, 4}, 61, 2, 4], {i, 1, 52}] // StandardForm
{{2, 4}, {41, 4}, {18, 57}, {26, 8}, {11, 25}, {6, 7}, {4, 25}, {28, 28}, {12, 29},
{38, 28}, {35, 35}, {46, 36}, {10, 29}, {54, 47}, {9, 43}, {30, 23}, {16, 17},
{56, 33}, {60, 1}, {0, 59}, {7, 42}, {39, 32}, {40, 20}, {55, 9}, {53, 5}, {42, 0},
{53, 56}, {55, 52}, {40, 41}, {39, 29}, {7, 19}, {0, 2}, {60, 60}, {56, 28}, {16, 44},
{30, 38}, {9, 18}, {54, 14}, {10, 32}, {46, 25}, {35, 26}, {38, 33}, {12, 32},
{28, 33}, {4, 36}, {6, 54}, {11, 36}, {26, 53}, {18, 4}, {41, 57}, {2, 57}, {O}}
How to find curves for cryptography?
Requirements are:
1. The number of points on curve n should be of form
n = r*s, where r is small ( ≤ 3) and s is a large prime
The field modulus q should be ≥ 190 bits ( security margin)
Notice: To be able to determine the order of a point on the curve, one has to know the size n of the cyclic
group and its divisors (because the order divides) n.
It is difficult to calculate the number of points of a curve. It is the job of mathematicians.
NIST (National institute of Standards in USA) has standardized
a group of curves for ECC for cryptographic uses. First of them is P-192, which we use in following exam-
ples.
ECC-DH key exchange (example P-192)
14 brasov.nb
◻ Generator and curve are given
P-192 is of form: y2= x3 -3 x + b over finite field Fq,
where G , b and q are as below. The size of the cyclic group is n.
G = {602046282375688656758213480587526111916698976636884684818,
174050332293622031404857552280219410364023488927386650641};
b = 2455155546008943817740293915197451784769108058161191238065;
q = 6277101735386680763835789423207666416083908700390324961279;
n = 6277101735386680763835789423176059013767194773182842284081;
◻ Alice chooses private key ka and calculates public key Ya = ka G
ka = 2818646689284967968603885680739626753757717668743685369;
Ya = Mult[ka, G, q, -3, b]
{4166887439959785442359358401626820195302130396853922747090,
342002490943820139356288313636684834682210773457498261724}
◻ Bob chooses private key kb and calculates public Yb = kb G
kb = 2101924874329080718071957364927874958230913619682994500;
Yb = Mult[kb, G, q, -3, b]
{3197479727310441184166659954176065551017813604210849295027,
4546651453263495348932303783137537190292590929227544435757}
brasov.nb 15
◻ Both calculate the same point K = ka*kb*G
K = Mult[kb, Ya, q, -3, b]
Mult[ka, Yb, q, -3, b]
{4569158537909585871329893828249154554821121379238590872510,
5889543201412998599750263908982414398530518138795041140383}
{4569158537909585871329893828249154554821121379238590872510,
5889543201412998599750263908982414398530518138795041140383}
◻ 128 bit AES-key is first 128 bits of the x-component of K
AESkey = Take[IntegerDigits[K[[1]], 2], 128]
{1, 0, 1, 1, 1, 0, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 1, 1, 1, 1, 0, 1,
1, 0, 1, 1, 0, 0, 0, 1, 1, 1, 1, 0, 0, 1, 1, 1, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0,
0, 0, 1, 0, 0, 0, 0, 1, 0, 1, 1, 0, 1, 1, 1, 0, 0, 1, 1, 0, 0, 1, 1, 0, 0, 0,
0, 0, 1, 1, 1, 0, 1, 1, 0, 1, 0, 0, 0, 1, 0, 0, 0, 1, 1, 1, 1, 1, 1, 0, 1, 0,
1, 0, 1, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0}
◼ ECC encryption ( Menezez Vanstone)
Encryption
Recipients (Bob) private key is kb, and public key Yb = kb*G
Message is coded to points of Zq2: m = (m1,m2)
Alice chooses random ka, calculates Ya=ka*G and
K=ka*Yb = (Kx,Ky)
Alice sends Bob (m1*Kx, m2*Ky) (mod q) and Ya
Decryption
Bob calculates K=kb*Ya = (Kx,Ky) and decrypts
(m1*Kx*Kx-1,m2*Ky*Ky-1) = (m1, m2)
16 brasov.nb
◼ Example:
◻ Coding message to a point
(* message is words:"Transilvania","Romania" *)
m01 = ToCharacterCode["Transilvania"]
m02 = ToCharacterCode["Romania"]
{84, 114, 97, 110, 115, 105, 108, 118, 97, 110, 105, 97}
{82, 111, 109, 97, 110, 105, 97}
{m1, m2} = Mod[{FromDigits[m01, 256], FromDigits[m02, 256]}, q]
{26135018475436037405047417185, 23203463667018081}
◻ Keys K and Ya
ka = Random[Integer, {1, q - 1}];
{Kx, Ky} = Mult[ka, Yb, q, -3, b]
Ya = Mult[ka, G, q, -3, b]
{1491376168303954572291171204233258426738725109867691358216,
1214573518889213311831967449132831397062260112552315825754}
{4316361940524308488737945697462164920394163273102255552918,
5011586538819215183236001645760568529066013955622938010874}
◻ Alice sends encrypted message and Ya
{c1, c2} = Mod[{Kx * m1, Ky * m2}, q] (* ciphertext *)
{4128091592795567213646030482277962704855528331322450992878,
893154719595316875948317128832095628699009352066623304183}
◻ Bob calculates inverses and decrypts
Kxinv = PowerMod[Kx, -1, q];
Kyinv = PowerMod[Ky, -1, q];
{z1, z2} = Mod[{Kxinv * c1, Kyinv * c2}, q]
{26135018475436037405047417185, 23203463667018081}
brasov.nb 17
FromCharacterCode[IntegerDigits[z1, 256]]
FromCharacterCode[IntegerDigits[z2, 256]]
Transilvania
Romania
◼ ECC authentication
1. Alice sends Bob a random message R = (r1,r2).
2. Bob encrypts it and sends response C = (c1, c2)
3. Alice decrypts message with Bob’s public key which Alice gets from CA (certification authority). If there
is a match, Bob is authenticated.
ECDSA digital signature on P-192
Below we experiment a Mathematica implementation testing ECDSA: Elliptic Curve Digital Signature
Algorithm.
◼ ELLIPTIC CURVE DIGITAL SIGNATURE ALGORITHM
18 brasov.nb
◼ TESTING DIGITAL ECDSA ON P-192 CURVE
G = {602046282375688656758213480587526111916698976636884684818,
174050332293622031404857552280219410364023488927386650641};
b = 2455155546008943817740293915197451784769108058161191238065;
q = 6277101735386680763835789423207666416083908700390324961279;
n = 6277101735386680763835789423176059013767194773182842284081;
◼ Alice's private key a and public key QA = a G
a = 918273645;
QA = Mult[a, G, q, -3, b]
{996476617209121766373775085331218971859677291912391531403,
1 826671883173573522640443946381870661151142903532674787055}
◼ Message m and its SHA - hash
m = "Today the weather in Brasov is sunny";
z = Hash[m, "SHA"]
1325693890563512617650171762935806176263117924031
brasov.nb 19
◼ Alice creates random k and finally signature DS
k = Random[Integer, {1, n - 1}];
r = Mod[Mult[k, G, q, -3, b][[1]], n]
280500202060425853880106773998470533398021871826415552405
s = Mod[PowerMod[k, -1, n] * (z + r * a), n]
634423026374674927513840555052887470832459265348577926529
DS = {s, r}
{634423026374674927513840555052887470832459265348577926529,
280 500202060425853880106773998470533398021871826415552405}
◼ Bob verifies the signature
m = "Today the weather in Brasov is sunny";
z = Hash[m, "SHA"]
1325693890563512617650171762935806176263117924031
w = PowerMod[s, -1, n]
5709717444866886451074716979713336983604920003396745493765
u1 = Mod[z * w, n]
u2 = Mod[r * w, n]
1943471050041666870667031115331515222361132550672029792224
1040969572507174418325038687458388850542478490792604486423
{x1, y1} = EllipticSum[q, -3, b, Mult[u1, G, q, -3, b], Mult[u2, QA, q, -3, b]]
{280500202060425853880106773998470533398021871826415552405,
1 225396249619413245270389537906947698114385536822473550584}
20 brasov.nb
r
Mod[x1, n]
If[r ⩵ Mod[x1, n], Print["Signature is verified"], Print["Signature failed"]]
280500202060425853880106773998470533398021871826415552405
280 500 202 060 425 853 880 106 773 998 470 533 398 021 871 826 415 552 405
Signature is verified
Conclusion
Elliptic Curve Cryptography performs all tasks required from public key cryptography: authentication, encryp-
tion, key agreement and digital signatures.
Furthermore, it provides adequate security with only 200 bit key size, which makes ECC a very good alterna-
tive for RSA or DLP-based systems in smart cards and PDA equipment.
The transition to ECC has not yet started in large scale, but for example Finnish governement has already
recommended ECC to replace traditional PK algorithms.
brasov.nb 21