ecc curve selection
DESCRIPTION
ECC Curve Selection. By Edward Yin CS 265 Project Spring 2005. Why ECC?. Key Size, Speed, and Scalability NIST guidelines for equivalent strengths:. ECC Basics. Prime: GF(p) Y 2 = X 3 + aX + b with 4a 3 + 27b 2 ≠ 0 Binary: GF(2 m ) Y 2 + XY = X 3 + aX 2 + b with b ≠ 0 - PowerPoint PPT PresentationTRANSCRIPT
ECCCurve Selection
ByEdward Yin
CS 265 ProjectSpring 2005
Why ECC?Key Size, Speed, and Scalability
NIST guidelines for equivalent strengths:
Bits of
Security
Symmetric
key algs.Hash algs.
Discrete Logs
(DSA, DH, MQV)RSA
Elliptic
Curves
80 SHA-1 L = 1024 N = 160 k = 1024 f = 160
112 TDES L = 2048 N = 224 k = 2048 f = 224
128 AES-128 SHA-256 L = 3072 N = 256 k = 3072 f = 256
192 AES-192 SHA-384 L = 7680 N = 384 k = 7680 f = 384
256 AES-256 SHA-512 L = 15360 N = 512 k = 15360 f = 512
ECC Basics
• Prime: GF(p)Y2 = X3 + aX + b with 4a3 + 27b2 ≠ 0
• Binary: GF(2m)Y2 + XY = X3 + aX2 + b with b ≠ 0
An “elliptic curve” means points on the curve plus the point at infinity.
Private: integer k
Public: a, b, point P, point Q=kP
Discrete Logs
• Discrete Log Problem (DLP)– Given p, g, and y, find x such that
gx = y (mod p).
• ECDLP– Given P, Q, find k such that kP = Q.
• Diffie-Hellman Problem (DHP)– Given p, g, ga, gb, find gab (mod p).
• ECDHP– Given P, sP, tP, find stP.
DLP and ECDLP
Regular DL (e.g. Diffie-Hellman)
ECC with prime fieldECC with binary
field
Field GF(p) GF(p) GF(2m)
Field representation 0,1,…,p-1 0,1,…,p-1Polynomial basis or
normal basis
Field order (size) p p 2m
Group elements GF(p)*E(GF(p)) = curve E
over GF(p)E(GF(2m)) = curve E
over GF(2m)
Basic operationMultiplication in
GF(p)Addition of points on
EAddition of points on
E
Base element Generator g Base point P Base point P
Main operation Exponentiation Scalar multiplication Scalar multiplication
Group order (size) p-1p+1-2p1/2 ≤ #E(GF(p)) ≤
p+1+2p1/2
2m+1-2m/2+1 ≤ #E(GF(2m)) ≤ 2m+1+2m/2+1
Known AttacksBest general attack is the Pollard rho method, taking O(n1/2)
curve additions, where n is the order of the base point P (smallest positive integer such that nP = 0).
Shortcuts:1. The Pohlig-Hellman algorithm reduces the size of the
problem. ECDLP reduced to ECDLP modulo each prime factor of n
2. ECDLP for anomalous curves in a prime field is solvable in polynomial time.
Prime-field-anomalous if group order = field order = n
3. ECDLP for some curves (e.g. supersingular curves) is solvable in subexponential time
MOV reduction possible if (field order)k = 1 (mod n) for some k
Avoiding Weak Curves
1. #E(GF(q)) = hn with large prime n, small h and nP=0.
2. #E(GF(q)) ≠ q.
3. The order n of point P should not divide qk-1 for all 1 ≤ k ≤ C, C≥20 in practice.
Approaches to Curve Selection
• Choose the group order first– Use the Complex Multiplication method (CM)
• Construct curve from another known curve• Choose a random curve
– Count points with Schoof’s algorithm or the Schoof-Elkies-Atkin (SEA) algorithm
• Use a published curve
Algorithms: see e.g. IEEE P1363 Annex A.Implementation: see e.g. MIRACL at
http://indigo.ie/~mscott/