Professional Documents
Culture Documents
ROTOR BASED SYSTEM SHIFT REGISTER BASED SYSTEM DESIGN CONSIDERATION FOR STREAM CIPHER CRYPTANALYSIS OF STREAM CIPHER COMBINED ENCRYPTION AND ENCODING BLOCK CIPHER DES AND VARIENT
MODES OF USE OF DES PUBLIC KEY SYSTEM KNACKSACK SYSTEM RSK DIFFLE HELLMAN EXCHANGE AUTHENTICATION DIGITAL SIGNATURE ELLIPTIC CURVED SYSTEM
There is a further division of symmetric cryptosystems into block ciphers and stream ciphers. The distinction between block and stream ciphers is perhaps best summarized by the following quotation :
Block ciphers operate with a fixed transformation on large blocks of plaintext data; stream ciphers operate with a timevarying transformation on individual plaintext digits.
SUNNY
11121
SURBHI 11122
Definition
o A linear feedback shift register (LFSR) is a shift register whose input bit is a linear function of its previous state. o A shift register is a device whose identifying function is to shift its contents into adjacent positions within the register or, in the case of the position on the end, out of the register.
Description: The feedback function in an LFSR has several names: -XOR, odd parity, sum modulo 2. Whatever the name, the function is simple: 1) Add the selected bit values, 2) If the sum is odd, the output of the function is one; otherwise the output is zero.
XOR gate
Shift register
Feedback function: The most commonly used linear function of single bits is XOR. Thus, an LFSR is most often a shift register whose input bit is driven by the exclusive-or (XOR) of some bits of the overall shift register value. The initial value of the LFSR is called the seed.
PRESENTED BY
SUSHANT
long period with no repetitions statistically random depends on large enough key large linear complexity correlation immunity confusion diffusion use of highly non-linear Boolean functions
The key-stream must eventually repeat, and key-stream re-use makes the scheme vulnerable to cryptanalysis: For almost every key K, the generated key stream have very long period. The key-stream should be indistinguishable from a random sequence, to hide plaintext statistics.
Cryptography is the part of information security that works best Using crypto correctly is important .
The more we make other parts of security behave like crypto, the better Study of cryptanalysis gives insight into all aspects of crypto Gain insight into attacker s mindset
black hat versus white hat mentality
Preliminaries
Cryptosystem: A mechanism for providing a secure means of information exchange. Cryptographer: A person who design a cryptosystem . Cryptanalyst: One who tries to attack the cryptosystem
Message/Plaintext Cipher text/Cipher Key
Encryption: Process of transforming the message into cipher Decryption: Recovering the actual message from the cipher A cryptosystem is specified by the encryption and decryption procedure.
Classical Cryptography
Caesar Cipher: Plaintext(P) and Cipher (C) are English alphabet and Key(K) denotes no. of shifts. Substitution Cipher: Here P & C are same and K is a permutation of the 26 symbols.
Cryptanalysis
cipher-text only known plain-text chosen plain-text
Stream Cipher
Plaintext(P): binary bit string Key-string(K): pseudo random binary string cipher text(C): bitwise XOR (addition modul 2) of P & K e.g: P: 011 001 001 000 100 010 K: 001 010 001 101 110 101 C: 010 011 000 101 010 111 Here Pr[P=0]=2/3; Pr[P=1]=1/3 Pr[P=0|C=0]= Pr[P=0|C=1]=2/3 Pr[P=1|C=0]= Pr[P=1|C=1]=1/3 This gives Pr[P]= Pr[P|C]
PRACTICAL IMPLEMENTATION
Alice or Bob might also want to store their data securely Trudy wants to read Alice and Bob s secrets Or Trudy might have other devious plans
Cause confusion, denial of service, etc.
Intro 26
CIA
Confidentiality, Integrity and Availability Confidentiality: prevent unauthorized reading of information Integrity: prevent unauthorized writing of information Availability: data is available in a timely manner when needed
Availability is a new security concern Due to denial of service (DoS) threats
Intro 27
Crypto
Cryptology The art and science of making and breaking secret codes Cryptography making secret codes Cryptanalysis breaking secret codes Crypto all of the above (and more)
Intro 28
Crypto
Underlying assumption
The system is completely known to Trudy Only the key is secret
plaintext
Pi
Ci
encrypt ciphertext
Pi
decrypt
plaintext
Note Pi is ith unit of plaintext And Ci is corresponding ciphertext Unit may be bit, letter, block of bits, etc.
Intro 31
plaintext
Pi
Ci
encrypt ciphertext
Pi
decrypt
plaintext
Intro 32
Trudy knows the ciphertext Trudy knows the cipher and how it works Trudy might know a little more Trudy does not know the key
Taxonomy of Cryptography
Symmetric Key
Same key for encryption as for decryption Stream ciphers and block ciphers
Public Key
Two keys, one for encryption (public), and one for decryption (private) Digital signatures nothing comparable in symmetric key crypto
Hash algorithms
Intro 33
Cryptanalysis
This course focused on cryptanalysis Trudy wants to recover key or plaintext Trudy is not bound by any rules
For example, Trudy might attack the implementation, not the algorithm itself She might use side channel info, etc.
Intro 34
Intro 35
Intro 36
Taxonomy of Cryptanalysis
Ciphertext only always an option Known plaintext possible in many cases Chosen plaintext Lunchtime attack Protocols might encrypt chosen text Adaptively chosen plaintext Related key Forward search (public key crypto only) Rubber hose , bribery, etc., etc., etc.
Intro 37
Definition of Secure
A cryptosystem is secure if the best know attack is to try all possible keys Cryptosystem is insecure if any shortcut attack is known By this definition, an insecure system might be harder to break than a secure system!
Intro 38
Definition of Secure
Why do we define secure this way? The size of the keyspace is the advertised level of security If an attack requires less work, then false advertising A cipher must be secure (by our definition) and have a large keyspace
Too big for an exhaustive key search
Intro 39
Theoretical Cryptanalysis
Spse that a cipher has a 100 bit key
Then keyspace is of size 2100
On average, for exhaustive search Trudy tests 2100/2 = 299 keys Spse Trudy can test 230 keys/second
Then she can find the key in about 37.4 trillion years
Intro 40
Theoretical Cryptanalysis
Spse that a cipher has a 100 bit key
Then keyspace is of size 2100
Spse there is a shortcut attack with work equal to testing about 280 keys If Trudy can test 230 per second
Then she finds key in 36 million years Better than 37 trillion, but not practical
Intro 41
Applied Cryptanalysis
In this class, we focus on attacks that produce plaintext
Not interested in attacks that just show a theoretical weakness in a cipher
Stream ciphers
Shift registers, correlation attack, ORYX, RC4, PKZIP
Intro 43
Hash functions
Nostradamus attack, MD4, MD5
ENCODING
y Encoding is the process of transforming source information into a specialised format so that it can be consumed by different types of systems and transmitted efficiently. The reverse of this process is Decoding. y The goal is not to keep information secret, but rather to ensure that it's able to be properly consumed. y Uses scheme that is publicly available y Does not require a key y To decode requires only the algorithm that was used to encode it y Examples: ASCII, Unicode, URL Encoding, Base64
ENCRYPTION
y Encryption is the process of obscuring information to make it unreadable without special knowledge, sometimes referred to as scrambling. y The goal is to ensure the data cannot be consumed by anyone other than the intended recipient(s).
y Transformation uses a key which is kept secret, in conjunction with the plain text and the algorithm.
A symmetric encryption scheme has five ingredients : 1. Plaintext: Original intelligible message 2. Encryption algorithm: Performs various substitutions and transformations on the plaintext 3. Secret key: Another input to the encryption algorithm. Independent of plaintext and algorithm 4. Ciphertext: Scrambled message produced as output. Depends on the plaintext and the secret key 5. Decryption algorithm: Essentially encryption algorithm run in reverse
y In broad band communication, a technique of errorfree transmission for stream ciphers is introduced. y Capability of error correction depends upon introduction of redundancy into the sequence y Breaking the encryption into block, then introducing the redundancy bit for error correction increases the complexity of the encryption sequence from 2n to 2mn.
S-DES Scheme
Encryption Decryption
8-bit plaintext P10 8-bit plaintext SHIFT IP K1 P8 K1 IP - 1 fk
fk
SW K2 fk IP - 1 8-bit ciphertext
SHIFT P8 K2
SW
fk
IP 8-bit ciphertext
Key Generation
10 P10 5 LS-1 5 P8 5 5 LS-1
8 K1 LS-2 5
LS-2 5 P8
K2
P10 Permutation
k1 k2 k3 k4 k5 k6 k7 k8 k9 k10
k3 k5 k2 k7 k4 k10 k1 k9 k8 k6
P8 Permutation
Permutate 10 into 8 k1 k2 k3 k4 k5 k6 k7 k8 k9 k10
k6 k3 k7 k4 k8 k5 k10 k9
LS-1
Left circular shift 1 each 5 bit group
k3 k 5 k 2 k 7 k 4
k10 k1 k9 k8 k6
k5 k 2 k 7 k 4 k 3
k1 k9 k8 k6 k10
LS-2
Left circular shift 2 each 5 bit group
k3 k 5 k 2 k 7 k 4
k10 k1 k9 k8 k6
k2 k7 k4 k3 k5
k9 k8 k6 k10 k1
IP E/P 8 4 S0 2 P4 4 4 S1 2 4 4
Encryption Detail
K1
SW E/P K2
S0 P4
S1
I P -1
k2 k6 k3 k1 k4 k8 k5 k7
k4 k1 k3 k5 k7 k2 k8 k6
Initial Permutation
Inverse Permutation
Expansion/Permutation (E/P)
Expand 4 bits into 8 and permutate them k1 k2 k3 k4
k4 k1 k2 k3 k2 k3 k4 k1
Substitution Boxes
S0 1 3 0 3 0 2 2 1 3 1 1 3 2 0 3 2 0 2 3 2 1 0 0 1
S1 2 1 1 0 3 3 0 3
TUSHAR 11126
Plaintext Message
Decryption Algorithm
Plaintext Message
66
Vigenre Cipher
Simplest polyalphabetic substitution cipher Consider the set of all Caesar ciphers: { Ca, Cb, Cc, ..., Cz } Key: e.g. security Encrypt each letter using Cs, Ce, Cc, Cu, Cr, Ci, Ct, Cy in turn. Repeat from start after Cy. Decryption simply works in reverse.
68
Block Ciphers
In general, a block cipher replaces a block of N plaintext bits with a block of N ciphertext bits. (E.g., N = 64 or 128.) A block cipher is a monoalphabetic cipher. Each block may be viewed as a gigantic character. The alphabet consists of 2N gigantic characters. Each particular cipher is a one-to-one mapping from the plaintext alphabet to the ciphertext alphabet . There are 2N! such mappings. A secret key indicates which mapping to use.
70
But this would require a key of log2(2N!) bits. If N = 64, log2(2N!) N x 2N 1021 bits 1011 GB. Infeasible!
71
72
If the selection of the 2K mappings is random, the resulting cipher will be a good approximation of the ideal block cipher. Horst Feistel, in1970s, proposed a method to achieve this.
73
Round i
Li-1 Ri-1
f +
ki
Li
Ri
Feistel Cipher
y Goes through a number of rounds, say 16 rounds. y A Feistel cipher encrypts a plaintext block m as: c :! E k (m) :! Q $ Q $ J16 $$ Q $ J2 $ Q $ J1 (m) y The decryption will be: Dk ( c) ! J11 $ Q 1 $ J21 $$ Q 1 $ J11 $ Q 1 $ Q 1 (c ) 6 ! Q $ Q $ J1 $ Q $ J2 $$ Q $ J16 ( c) y The descryption algorithm is the same as the encryption algorithm, but uses round keys in the reverse order.
78
11127
UMESH
DES
DES is the archetypal block cipher an algorithm that takes a fixed-length string of plaintext bits and transforms it through a series of complicated operations into another ciphertext bitstring of the same length. In the case of DES, the block size is 64 bits. DES also uses a key to customize the transformation, so that decryption can supposedly only be performed by those who know the particular key used to encrypt.
Description
The key ostensibly consists of 64 bits; however, only 56 of these are actually used by the algorithm. Eight bits are used solely for checking parity, and are thereafter discarded. Hence the effective key length is 56 bits, and it is never quoted as such. Every 8th bit of the selected key is discarded, that is, positions 8, 16, 24, 32, 40, 48, 56, 64 are removed from the 64 bit key leaving behind only the 56 bit key.
Like other block ciphers, DES by itself is not a secure means of encryption but must instead be used in a mode of operation. FIPS-81 specifies several modes for use with DES. Further comments on the usage of DES are contained in FIPS.
Encrypts 64-bit data using 56-bit key Has widespread use Has been considerable controversy over its security
DES (Contd..)
Block cipher: 64 bits at a time Initial permutation rearranges 64 bits (no cryptographic effect) Encoding is in 16 rounds
plaintext INITIAL PERMUTATION ROUND 1 ROUND 2 ... ROUND 16 INITIAL PERMUTATION ciphertext
DES MODES
ECB: Electronic CodeBook mode:
Encrypt each 64-bit block independently. Attacker could build codebook.
Block Encryption
E(block)
E(block)
E(block)
E(block)
E(block)
E(block)
Ciphertext
XOR
XOR
XOR
XOR
XOR
Block Encryption
E(block)
E(block)
E(block)
E(block)
E(block)
Ciphertext
Pad last block, if necessary Random Block called IV can be sent in plain text. Not a secret just prevents a codebook. Often times a timestamp.
E(register)
Leftmost
XOR
After each unit, shift input register and insert the most recently generated unit of ciphertext
E(register)
Leftmost
XOR
After each unit, shift input register and insert the leftmost unit of the encrypted register.
In a public key system, each user has a publicly known encryption key (public key) and a private key known only to that user. Messages are encrypted using the receiver's public key. When they receive it, they decrypt it using their private key. Public key cryptography was invented in 1976 by Whitfield Diffie and Martin Hellman
Asymmetric encryption
Cont d
The key used to encrypt a message is not the same as the key used to decrypt it. Each user has a pair of cryptographic keys a public encryption key and a private decryption key. The publicly available encrypting-key is widely distributed, while the private decrypting-key is known only to the recipient. Messages are encrypted with the recipient's public key and can be decrypted only with the corresponding private key.
Symmetric encryption
In contrast, symmetric-key algorithms, variations of which having been used for thousands of years, use a single secret key which must be shared and kept private by both sender and receiver for both encryption and decryption. To use a symmetric encryption scheme, the sender and receiver must securely share a key in advance.
Branches
The two main branches of public key cryptography are: Public key encryption Digital signatures
RSK
VIKAS
11131
What is RSK ??
RSK is a process developed by NMI Info Security Solutions to quantify the risk to your information systems. The RSK program evaluates thousands of risk factors that affect your information systems, including the computers in your information system, the network applications running on those computers, security holes associated with those network applications and configuration errors.
The output of the RSK program is a number called an RSK measurement. An RSK measurement is a number that is easy to communicate and easy to understand. High numbers mean a higher risk to your information systems.
RSK makes the results of risk assessments easily accessible to all audiences.
In addition to a traditional text report (possibly hundreds of pages long) outlining technical and policy issues be addressed, RSK provides a quick and easy-to-understand interpretation of the risk to your organization s information security. This allows senior executives to access the information they need to make decisions about risk management strategies.
RSK allows you to prioritize and determine the cost effectiveness of remedial actions.
Very few organizations have the time, money, or human resources to implement every recommendation of a risk assessment. Some recommendations may be very costly to implement, and the degree they reduce risk may not be obvious using traditional risk assessment techniques. By attaching a consistent numeric value to each risk factor, RSK allows risk managers to prioritize remedial actions that result in the greatest reduction of risk at the lowest cost.
YOGESH
11132
Bob
assumes authenticated channels (+ DDH assumption) open to m-i-t-m in a realistic unauthenticated setting
107
Authenticated Diffie-Hellman
Bind key to identities via PKs (or other means) Non-trivial: innumerable proposals, many broken
NOT that a good protocol must be complex or inefficient, only that it is incredibly easy to design them wrong No need to compromise for weak protocols anymore
What does it mean for a KE protocol to be secure? What are the attackers capabilities?
Many works/approaches: much beyond preventing obvious impersonation and key recovery attacks (known-key attacks, ephemeral vs static, UKS, PFS, KCI,...)
108
HMQV Analysis
In the KE model of Canetti and Krawczyk [CK01] Attacker may access private keys, session keys, sessionstate information (exposed session) Any unexposed session is secure (key is indist from random) In addition: extensions to capture PFS, KCI [CK01] Prove that secure KE in this model secure communications (secure channels) Note: protocol must specify what resides in state and what in protected memory (such as private keys)
110
AUTHENTICATION
RAHUL
11133
DIGITAL SIGNATURE
VIKAS
11640
Objectives To define a digital signature To define security services provided by a digital signature To define attacks on digital signatures To discuss some digital signature schemes, including RSA, ElGamal, Schnorr, DSS, and elliptic curve To describe some applications of digital signatures
13.113
1 COMPARISON
Let us begin by looking at the differences between conventional signatures and digital signatures. signatures.
1.1 Inclusion
A conventional signature is included in the document; it is part of the document. But when we sign a document digitally, we send the signature as a separate document.
13.115
For a conventional signature, when the recipient receives a document, she compares the signature on the document with the signature on file. For a digital signature, the recipient receives the message and the signature. The recipient needs to apply a verification technique to the combination of the message and the signature to verify the authenticity.
13.116
1.3 Relationship
For a conventional signature, there is normally a one-tomany relationship between a signature and documents. For a digital signature, there is a one-to-one relationship between a signature and a message.
13.117
1.4 Duplicity
In conventional signature, a copy of the signed document can be distinguished from the original one on file. In digital signature, there is no such distinction unless there is a factor of time on the document.
13.118
2 PROCESS
Figure 13.1 shows the digital signature process. The 13. process. sender uses a signing algorithm to sign the message. message. The message and the signature are sent to the receiver. receiver. The receiver receives the message and the signature and applies the verifying algorithm to the combination. If combination. the result is true, the message is accepted; otherwise, it accepted; is rejected. rejected. Topics discussed in this section:
2.1 2.2
13.119
2 Continued
13.120
Note A digital signature needs a public-key system. The signer signs with her private key; the verifier verifies with the signers public key.
13.121
2.1 Continued
Note A cryptosystem uses the private and public keys of the receiver: a digital signature uses the private and public keys of the sender.
13.122
13.123
3 SERVICES
We discussed several security services in Chapter 1 including message confidentiality, message authentication, message integrity, and nonrepudiation. nonrepudiation. A digital signature can directly provide the last three; for message confidentiality we still need encryption/decryption. Topics discussed in this section:
3.1 3.2 3.3 3.4
13.124
A secure digital signature scheme, like a secure conventional signature can provide message authentication. Note A digital signature provides message authentication.
13.125
The integrity of the message is preserved even if we sign the whole message because we cannot get the same signature if the message is changed.
13.126
3.3 Nonrepudiation
3.4 Confidentiality
Note A digital signature does not provide privacy. If there is a need for privacy, another layer of encryption/decryption must be applied.
13.128
This section describes some attacks on digital signatures and defines the types of forgery. forgery.
Key-Only Attack
Known-Message Attack
Chosen-Message Attack
13.130
Existential Forgery
Selective Forgery
13.131
Several digital signature schemes have evolved during the last few decades. Some of them have been decades. implemented. implemented.
Figure 13.6 General idea behind the RSA digital signature scheme
13.133
5.1 Continued
Key Generation Key generation in the RSA digital signature scheme is exactly the same as key generation in the RSA Note In the RSA digital signature scheme, d is private; e and n are public.
13.134
5.1 Continued
13.135
5.1
Continued
Example 13.1 As a trivial example, suppose that Alice chooses p = 823 and q = 953, and calculates n = 784319. The value of J(n) is 782544. Now she chooses e = 313 and calculates d = 160009. At this point key generation is complete. Now imagine that Alice wants to send a message with the value of M = 19070 to Bob. She uses her private exponent, 160009, to sign the message:
Alice sends the message and the signature to Bob. Bob receives the message and the signature. He calculates
5.1 Continued
13.137
5.1 Continued
Note When the digest is signed instead of the message itself, the susceptibility of the RSA digital signature scheme depends on the strength of the hash algorithm.
13.138
Figure 13.9 General idea behind the ElGamal digital signature scheme
13.139
5.2 Continued
Key Generation The key generation procedure here is exactly the same as the one used in the cryptosystem. Note In ElGamal digital signature scheme, (e1, e2, p) is Alices public key; d is her private key.
13.140
5.2 Continued
13.141
5.1
Continued
Example 13.2 Here is a trivial example. Alice chooses p = 3119, e1 = 2, d = 127 and calculates e2 = 2127 mod 3119 = 1702. She also chooses r to be 307. She announces e1, e2, and p publicly; she keeps d secret. The following shows how Alice can sign a message.
Alice sends M, S1, and S2 to Bob. Bob uses the public key to calculate V1 and V2.
13.142
5.1
Continued
Example 13.3 Now imagine that Alice wants to send another message, M = 3000, to Ted. She chooses a new r, 107. Alice sends M, S1, and S2 to Ted. Ted uses the public keys to calculate V1 and V2.
13.143
Figure 13.11 General idea behind the Schnorr digital signature scheme
13.144
5.3 Continued
Key Generation
1) 2) 3) 4) Alice selects a prime p, which is usually 1024 bits in length. Alice selects another prime q. Alice chooses e1 to be the qth root of 1 modulo p. Alice chooses an integer, d, as her private key.
5) Alice calculates e2 = e1d mod p. 6) Alices public key is (e1, e2, p, q); her private key is (d).
Note In the Schnorr digital signature scheme, Alices public key is (e1, e2, p, q); her private key (d).
13.145
5.3 Continued
13.146
5.3 Continued
Signing 1. Alice chooses a random number r. 2. Alice calculates S1 = h(M|e1r mod p). 3. Alice calculates S2 = r + d S1 mod q. 4. Alice sends M, S1, and S2. Verifying Message 1. Bob calculates V = h (M | e1S2 e2S1 mod p). 2. If S1 is congruent to V modulo p, the message is accepted;
13.147
5.1
Continued
Example 13.4 Here is a trivial example. Suppose we choose q = 103 and p = 2267. Note that p = 22 q + 1. We choose e0 = 2, which is a primitive in Z2267*. Then (p 1) / q = 22, so we have e1 = 222 mod 2267 = 354. We choose d = 30, so e2 = 35430 mod 2267 = 1206. Alices private key is now (d); her public key is (e1, e2, p, q). Alice wants to send a message M. She chooses r = 11 and calculates e2 r = 35411 = 630 mod 2267. Assume that the message is 1000 and concatenation means 1000630. Also assume that the hash of this value gives the digest h(1000630) = 200. This means S1 = 200. Alice calculates S2 = r + d S1 mod q = 11 + 1026 200 mod 103 = 35. Alice sends the message M =1000, S1 = 200, and S2 = 35. The verification is left as an exercise.
13.148
13.149
5.4 Continued
Key Generation. 1) Alice chooses primes p and q. 2) Alice uses <Zp*, > and <Zq*, >. 3) Alice creates e1 to be the qth root of 1 modulo p. 4) Alice chooses d and calculates e2 = e1d. 5) Alices public key is (e1, e2, p, q); her private key is (d).
13.150
5.4 Continued
13.151
5.1
Continued
Example 13.5 Alice chooses q = 101 and p = 8081. Alice selects e0 = 3 and calculates e1 = e0 (p1)/q mod p = 6968. Alice chooses d = 61 as the private key and calculates e2 = e1d mod p = 2038. Now Alice can send a message to Bob. Assume that h(M) = 5000 and Alice chooses r = 61:
Alice sends M, S1, and S2 to Bob. Bob uses the public keys to calculate V.
13.152
5.4 Continued
DSS Versus RSA Computation of DSS signatures is faster than computation of RSA signatures when using the same p.
DSS Versus ElGamal DSS signatures are smaller than ElGamal signatures because q is smaller than p.
13.153
13.154
5.5 Continued
Key Generation Key generation follows these steps: 1) Alice chooses an elliptic curve Ep(a, b). 2) Alice chooses another prime q the private key d. 3) Alice chooses e1(, ), a point on the curve. 4) Alice calculates e2(, ) = d e1(, ). 5) Alices public key is (a, b, p, q, e1, e2); her private key is 13.155 d.
5.5 Continued
13.156
variations
and
13.157
6.1 Variations
Time Stamped Signatures Sometimes a signed document needs to be time stamped to prevent it from being replayed by an adversary. This is called time-stamped digital signature scheme. Blind Signatures Sometimes we have a document that we want to get signed without revealing the contents of the document to the signer.
13.158
VINAY
11641
INTRODUCTION The use of elliptic curves in cryptography was suggested independently by Neal Koblitz and Victor S. Miller in 1985. The Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. Security of Public-Key Cryptography depends on the difficulty of solving the Hard Problems defined in Complexity Theory
BACKGROUND OF PUBLIC KEY CRYPTOSYSTEM The Cryptosystems based on following mathematical problem are considered secure and efficient : Integer Factorization problem (IFP) Examples are RSA ,Rabin-Williams Discrete Logarithm Problem (DLP) U.S. Govt. s DSA, Diffie-Hellman and MQV key agreement scheme etc.
Contd
None of these problems have been proven intractable but they are believed to be intractable. Since 1985, ECC has received intense scrutiny from cryptographers, mathematicians, and computer scientists around the world. On the one hand, the fact that no significant weaknesses have been found has led to high confidence in the security of ECC. ECC has become more attractive rather than RSA and DSA.
For Elliptic-curve-based protocols, it is assumed that finding the discrete logarithm of an elliptic curve element is infeasible. The size of the elliptic curve determines the difficulty of the problem. Over the past few years elliptic curve cryptography has been gaining popularity and being standardized around the world by agencies such as ANSI, IEEE and ISO. The U.S. National Security Agency has endorsed ECC technology by including it in its Suite B set of recommended algorithms and allows their use for protecting information classified up to top secret with 384-bit keys.
Elliptic Curve An elliptic curve is the set of solutions of an equation of the form y2 = x3 + ax + b . Where the co-efficeints a and b are elements of the field and 4a3 + 27b2 ? 0. Each value of the 'a' and 'b' gives a different elliptic curve. An equation of this kind can be studied over various mathematical structures, such as a ring or a field. One interesting property of set of solutions of elliptic curve is that it forms a group which enables us to do Cryptography. The public key is a point in the curve and the private key is a random number. The public key is obtained by multiplying the private key with the generator point G in the curve.
Graphical Representation
Y axis
Then points on the elliptic curve are (1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and the point at infinity: g
Using the finite fields we can form an Elliptic Curve Group where we also have a DLP problem which is harder to solve
General form of a EC
An elliptic curve is a plane curve defined by an equation of the form 2 3
y ! x ax b
Examples
P1
Public-Key Cryptosystems
Public-Key Cryptography
Public-Key Cryptography
Security of ECC
To protect a 128 bit AES key it would take a:
RSA Key Size: 3072 bits ECC Key Size: 256 bits
Impractical?
ADVANTAGES OF ECC
The Advantages of Elliptic Curve Cryptography The biggest advantage of elliptic curve cryptography is the drastic reduction in overhead associated with it. Take this side by side comparison of required key sizes to achieve different levels of security for RSA modulus n and an elliptic curve system with a security parameter n.
Applications of ECC
Many devices are small and have limited storage and computational power Where can we apply ECC?
Wireless communication devices Smart cards Web servers that need to handle many encryption sessions Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems
Benefits of ECC
Same benefits of the other cryptosystems: confidentiality, integrity, authentication and non-repudiation but Shorter key lengths
Encryption, Decryption and Signature Verification speed up Storage and bandwidth savings
THANK YOU