elliptic curve cryptography · elliptic curve cryptography for those who are afraid of maths...
TRANSCRIPT
![Page 1: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/1.jpg)
Elliptic Curve Cryptography for those who are afraid of maths
Martijn Grooten, Virus Bulletin
@martijn_grooten
BSides London, 3 June 2015
![Page 2: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/2.jpg)
![Page 3: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/3.jpg)
Disclaimer:
This talk will be useless.
I am not a cryptographer.
Some things are wrong.
![Page 4: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/4.jpg)
Elliptic curves
y2 = x3 + a·x + b
…and a prime number p.
choice!
![Page 5: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/5.jpg)
points ≈numbers
![Page 6: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/6.jpg)
P Q
P+Q
“point addition”
![Page 7: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/7.jpg)
P
P+P
“point doubling”
2·P
2P+P 3·P
“(integer) multiplication”
6·P
4·P
5·P
![Page 8: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/8.jpg)
So:
We can “add” points to each other.
We can “multiply” points by an integer.
Nice: P + Q = Q + P
3·P + P = 2·P + 2·P = 4·P
5·(7·P) = 7·(5·P) etc.
The points on a curve form an Abelian Group (very exciting!).
![Page 9: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/9.jpg)
Multiplication is very fast
To go from a point P to 100·P:
P → 2·P
2·P → 3·P
3·P → 6·P
6·P → 12·P
12·P → 24·P
24·P → 25·P
25·P → 50·P
50·P → 100·P
Only eight steps!
![Page 10: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/10.jpg)
“Division” is very slow
Given points P and Q, where Q=n·P, the best way to find the number n is to try P, 2·P, 3·P, etc. That is very slow.
The Discrete Logarithm Problem for elliptic curves.
![Page 11: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/11.jpg)
ECDH (Elliptic Curve Diffie Hellman)
The challenge: Alice and Bob want to agree on a secret key over a public channel.
For example: Alice is a web server, Bob a browser and they want to exchange a key to encrypt a TLS session.
![Page 12: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/12.jpg)
ECDH (Elliptic Curve Diffie Hellman)
Alice and Bob have agreed on an elliptic curve and a “base point” P on the curve.
Alice chooses secret large random number a.
Bob chooses secret large random number b.
![Page 13: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/13.jpg)
ECDH (Elliptic Curve Diffie Hellman)
Alice computes a·P (a times the point P) and shares the answer with Bob.
Bob computes b·P and shares this too.
Alice computes a·(b·P) (a times the point Bob gave her).
Bob computes b·(a·P).
Secret key: a·(b·P) = b·(a·P).
![Page 14: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/14.jpg)
Wireshark (client to server)
“11 cipher suites you didn’t know I supported”
![Page 15: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/15.jpg)
Wireshark (client to server)
“These are my three favourite curves.”
![Page 16: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/16.jpg)
Wireshark (server to client)
“OK, let’s go for TLS_ECDHE_RSA_WITH_AES_128_CGM_SHA256 .”
![Page 17: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/17.jpg)
Wireshark (server to client)
“And curve NIST P-256. And this is my point.”
![Page 18: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/18.jpg)
Wireshark (client to server)
“Cheers – here’s mine!”
![Page 19: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/19.jpg)
What could possibly go wrong?
What if there is a ‘loop’?
If 1001·P = P, then there are only 1000 possible values for n·P, no matter how large n is!
Loops can be avoided. Other (known and unknown!) weaknesses remain possible.
![Page 20: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/20.jpg)
Are we using ‘weak’ curves?
NIST P-256:
y2 = x3 - 3x + 41058363725152142129326129780047268409114441015993725554835256314039467401291
WHAT???
![Page 21: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/21.jpg)
Random number generators
random seed
output
![Page 22: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/22.jpg)
Random number generators
Discrete Logarithm Problem:
n → n·P
gives “random” points/numbers.
n0 n1 n2
n0·P n1·P n2·P
n1 n2
n1·P
![Page 23: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/23.jpg)
Random number generators
s0 s1 s2
Given: elliptic curve with two points P and Q.
s0·P s1·P s2·P
s1·Q s2·Q 32-byte seed
30 bytes 30 bytes
Note: ideas from this slide and the next are borrowed from Bernstein, Heninger and Lange (NCSC ‘14).
![Page 24: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/24.jpg)
Random number generators
s0 s1 s2
Fact: P=d·Q for some (large) number d.
s0·P s1·P s2·P
s1·Q s2·Q 32-byte seed
30 bytes 30 bytes
216 possibilities r1
d·r1
s1·P = s1(d·Q)
= d·(s1·Q)
= d·r1
![Page 25: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/25.jpg)
So who, if anyone, knows d?
“Dual_EC_DRBG”
![Page 26: Elliptic Curve Cryptography · Elliptic Curve Cryptography for those who are afraid of maths Martijn Grooten, Virus Bulletin @martijn_grooten BSides London, 3 June 2015](https://reader036.vdocument.in/reader036/viewer/2022062506/5f0202837e708231d4022175/html5/thumbnails/26.jpg)
Conclusion
Elliptic curve cryptography is a good idea because we can do with much smaller keys.
256-bit ECC ≈ 3072-bit RSA.
Elliptic curve crypto uses complicated maths. That is its biggest weakness.