Professional Documents
Culture Documents
In 1976, Whitfield Diffie and Martin Hellman introduced the concept of publickey cryptography (PKC). Since then, many implementations of it have beenproposed, and many of these cryptographic applications base their security onthe intractability of hard mathematical problems, namely the integerfactorization problem (IFP) and the finite field discrete logarithm problem(DLP). Over the years, sub-exponential time algorithms were developed to solvethese problems. As a result, key sizes grew to more than 1000 bits, so as toattain a reasonable level of security. In constrained environments wherecomputing power, storage and bandwidth are limited, carrying out thousand-bitoperations becomes an impractical approach to providing adequate security.This is most evident in hand-held devices such as the mobile phones, pagers andPDAs that have very limited processing power and battery life. Elliptic Curve Cryptography (ECC) is a public key cryptography. In public keycryptography each user or the device taking part in the communication generally have a pair of keys, a public key and a private key, and a set of operations associated with the keys to do the cryptographic operations. Only the particular user knows the private key whereas the public key is distributed to all users taking part in the communication. Some public key algorithm may require a set of predefined constants to be known by all the devices taking part in the communication. Domain parameters in ECC is an example of such constants. Public key cryptography, unlike private key cryptography, does not require any shared secret between the communicating parties but it is much slower than the private key cryptography. Proposed independently by Neal Koblitz and Victor Miller in 1985,elliptic curve cryptography (ECC) has the special characteristic that to date, thebest known algorithm that solves it runs in full exponential time. Its securitycomes from the elliptic curve logarithm, which is the DLP in a group defined bypoints on an elliptic curve over a finite field. This results in a dramatic decreasein key size needed to achieve the same level of security offered in conventionalPKC schemes. This paper aims to examine two aspects of the ECC, namely its securityand efficiency, so as to provide grounds as to why the ECC is most suitable forconstrained environments. We begin
1
by introducing the three mathematicalproblems and the various algorithms that solve them. An overview ofimplementation methods and considerations will be provided, followed bycomparisons in the performance of ECC with other PKC applications. Lastly,there will be a survey of current ECC applications in various mobile devices.
2.2.1The Need for Public Key Cryptography Private key cryptography is widely used for the encryption of data due to its speed. The most commonly used today is the Data Encryption Standard (DES). It has an extremely fast encryption speed and this is a very attractive quality in terms of efficiency; however, it has certain short comings that make it unsuitable for use in the m-commerce environment. 1. Key Management Problem: A wireless user should be able to conduct business transactions with not just one party, but with many different ones. Thus, communication on a public network is not restricted to one-on-one, but a large number of users.For a network of n users n(n-1)/2 private keys need to be generated. When n is large, the number of keys becomes un manageable.
4
2.
Key Distribution Problem: With such a large number of keys that needs to be generated on a network, thejob of generating the keys and finding a secure channel to distribute thembecomes a burden.
3.
No digital signatures possible: A digital signature is an electronic analogue of a handwritten signature. If Alice sends an encrypted message to Bob, Bob should be able to verify that thereceived message is indeed from Alice. This can be done with Alices signature;however, private key cryptographydoes not allow such a feature.In contrast, public key cryptography uses two keys. Each user on anetwork publishes a public encryption key that anyone can use to send themmessages, while keeping the private key secret for decryption. On a network of n users, it only needs n public and n private keys. This reduces the number of keys needed from O(n2) to O(n). Furthermore, it allows the use of digital signatures, which ensures nonrepudiation. However, public key cryptographydoes have its drawbacks. Compared to private key cryptography, public key cryptography is orders of magnitude slower. RSA needs at least 1024-bit keys while DES needs only 64 bits. In truth, public and private key cryptograph work best together . Public key cryptography is ideal for key distribution and management, ensuring data integrity, providing authentication and non repudiation, while private key cryptography is ideal for ensuring confidentiality ,such as encrypting data and communication channels. These are the four main objectives in any cryptographic application.
2.2.2 Choice of Public Key Cryptosystem When it comes to choosing which public key cryptosystem to employ in a mobile environment, one has to keep in mind restrictions on bandwidth, memory and battery life. In constrained environments such as mobile phones, wireless pagers or PDAs, these resources are highly limited. Thus, a suitable public key scheme would be one that is efficient in terms of computing costs and key sizes.
To date, the ECC has the highest strength-per-bit compared to other public key cryptosystems. Small key sizes translate into savings in bandwidth, memory and processing power. This makes ECC the obvious choice in this situation. However, there are other aspects that need to be taken into account. In the following section, we will examine the different mathematical problems that underlie the majority of the public key cryptosystems in use today. We will also discuss some of the most efficient algorithms that solve them. This will give us a better understanding of the security on which different types of public key cryptosystems are based.
CHAPTER 3
3.1 IMPLIMENTATION OF ECC
3.1.1 Prime field algorithms We have implemented a wrapper class for elements of Fp (zp int), complete with arithmetic and comparison operators, as well as standard and Jacobian coordinate classes. We have also imple- mented a class for polynomials over Fp (ModularPolynomial) - again, complete with arithmetic (including GCD). We have implemented the algorithm of Tonelli and Shanks for computing square roots over Fp , and used it to implement an algorithm for finding roots of general polynomials over Fp needed in the complex multiplication method in order to find roots of the Hilbert class polynomial. These algorithms require the computation of Legendre's symbol and so we have implemented the standard eficient algorithm which utilizes the quadratic reciprocity theorem. We have also implemented Cornacchia's algorithm for finding x; y such that x2 + jDjy2 = 4p for given p.. Primality testing was done via GMP's library (which implements Miller-Rabin). 3.1.2 Binary field algorithms We have implemented binary finite field arithmetic in the class GFE.h as two variants. The first one \from scratch", with algorithms for addition, multiplication , the extended Euclidean algorithm for binary finite fields in order to compute the multiplicative inverse, and an algorithm for solving quadratic equations over F2d (see section 3.5). The last algorithm is especially of use in solving the curve-equation (y2 + xy = x3 + ax2 + b) to the y-coordinate. The second variant is actually a wrapper around the same functions provided by the NTL library. For the evaluations however we used in the implementation from scratch. The implementation was done in a way that GFE objects can be used the same way as \primitive" types, with the corresponding operators. The algorithms used for AGM point-counting are de_ned in adicops.h. This contains the AGM algorithm itself, as defined in the Book \Handbook of Elliptic and Hyperelliptic Curve Cryptography" by Cohen and Frey. The p-adic algorithms required for AGM are: square-root computation, inverse square-root computation and inverse element computation.In addition to this, p-adic polynomial-arithmeticcontaining addition, subtraction, multiplication and division (all operations modulo an irreducible polynomial) was implemented in two variants: the FIrst
one from scratch in the wrapper class defined in Poly.h. The second variant used modular polynomials from NTL and is defined in the wrapper class in ModPoly.h.
The concrete implementation of the functions are done in EC Prime.h for prime curves and ECBinary.h for binary curves. In this way, the program can deal with objects of abstract type Ellipticcurve without having to know the underlying implementation. The predefined NISTcurves are all implemented as own subclasses of ECBinary or ECPrime, which simplifies the initialization of those curves. In this case an Ellipticcurve object is simply initialized with the concrete Curve NISTp192 implementation, representing the prime NIST curve over 192 bit. Elliptic curve arithmetic, namely addition and multiplication was implemented according to Menezes' book \Guide to Elliptic Curve Cryptography" 3.2.1 Finding a random point on the curve Another algorithm which is implementation specific is finding a random point on the curve. This is required while generating a random curve suitable for the cryptosystem. Both algorithms for prime and binary curves choose a random x coordinate until a corresponding y coordinate exists. For prime curves y2 = x3 + ax + b, this requires computing a modular square root, and in the binary case for curves y2 + xy = x3 + ax2 + b, a binary quadratic equation must be solved.
10
3.2.2 Compressed format Because we are able to find the y-coordinate for a given x, the full definition of y is actually redundant information. Since there are two solutions for x, the question is only which one was intended. For the purpose of storing and recovering points from text-files, we use the compressed format. This consists of the x-coordinate, preceeded by either \+" or \-" at the beginning, indicating which of the possible y-coordinates has to be chosen.
For the corresponding algorithms, se. In addition to this, routines for encoding strings to a point on an elliptic curve (including random padding) and for decoding string from points are implemented. Furthermore, a curve validation function is implemented, which multiplies the curve-point with the curve-order. In a correctly defined curve, the result should be the point at infinity.
3.5 Metrics
The implementation is done in C++ and consists of approximately 7500 lines of code. The codeis distributed in 29 files, containing 34 classes. In total, 53 test-cases are written (using CppUnit) and can be executed at any time.
11
4.1.1 Finite Fields Abstractly a finite field consists of a finite set of objects called field elements together with the description of two operations addition and multiplication that can be performed on pairs of field elements. These operations must possess certain properties. It turns out that there is a finite field containing q field elements if and only if q is a power of a prime number, and furthermore that in fact for each such q there is precisely one finite field. The finite field containing q elements is denoted by Fq. Here only two types of finite fields Fq are used finite fields F p with q = p, p an odd prime which are called prime finite fields, and finite fields F2m with q = 2m for some m 1 which are called characteristic 2 finite fields. It is necessary to describe these fields concretely in order to precisely specify cryptographic schemes based on ECC. 4.1.2 The Finite Field F p The finite field F p is the prime finite field containing p elements. Although there is only one prime finite field F p for each odd prime p, there are many different ways to represent the elements of F p. Here the elements of F p should be represented by the set of integers with addition and multiplication defined as follows: Addition: If a , b 2 F p, then a+b = r in F p, where r 2 [0; p-1] is the remainder when the integer a+b is divided by p. This is known as addition modulo p and written a+b r (mod p). Multiplication: If a;b 2 F p, then a:b=s in F p, where s 2 [0; p-1] is the remainder when the integer ab is divided by p. This is known as multiplication modulo p and written a:b s (mod p).
12
13
4.2.2Point Representation In this section, two types of point representation will be discussed affine and projective coordinates. We will use formulae from point addition in a prime field to illustrate the different costs in performing point arithmetic using the two representations. Refer to Appendix A for formulae on point addition in fields of characteristics 2 and p > 3, using both affine and projective representations. Affine coordinates (x, y) satisfy the affine equation (i) E: y2 = x3 + ax + b, where a, b GF(p). Referring to formula (A-1) in Appendix A, addition of affine
coordinates requires 1 inversion, 2 multiplications and 1 squaring (ignoring the cost of field additions and subtractions), when P1 , P2,. While point doubling (P1 = P2) requires 1 inversion, 2 multiplications and 2 squarings. Conventional projective coordinates (x, y, z) satisfy the homogenous Weierstrass equation E: y2z = x3 + axz2 + bz3, where a, b Fp. When z 0, the projective point (x, y, z) corresponds to the affine point (x/z, y/z). Projective coordinates are used when field inversions are significantly more expensive than field multiplications. With projective coordinates, the need for performing inversions is replaced with multiplication, thus projective addition can be achieve through only the use of field multiplications. There are other types of projective representations that are more efficient than the convention projective representation. In particular, the weighted projective representation (or Jacobian representation) results in a more efficient implementation of group operations. Jacobain coordinates (x, y, z) correspond to the affine coordinates (x/z2, y/z3), and they satisfy the weighted projective curve equation E: y2 = x3 + axz4 + bz6. 4.2.2.1 Point addition Point addition is the addition of two points J and K on an elliptic curve to obtain another point L on the same elliptic curve.
14
Geometrical explanation
Consider two points J and K on an elliptic curve as shown in figure (a). If K -J then a line drawn through the points J and K will intersect the elliptic curve at exactly one more point L. The reflection of the point L with respect to x-axis gives the point L, which is the result of addition of points J and K. Thus on an elliptic curve L = J + K. If K = -J the line through this point intersect at a point at infinity O. Hence J + (-J) = O. This is shown in figure (b). O is the additive identity of the elliptic curve group. A negative of a point is the reflection of that point with respect to x-axis. Analytical explanation Consider two distinct points J and K such that J = (xJ, yJ) and K = (xK, yK) Let L = J + K where L = (xL, yL), then xL = s2 - xJ xK yL = -yJ + s (xJ xL) s = (yJ yK)/(xJ xK), s is the slope of the line through J and K. If K = -J i.e. K = (xJ, -yJ) then J + K = O. where O is the point at infinity. If K = J then J + K = 2J then point doubling equations are used. Also J + K = K + J
15
4.2.2.2 Point doubling Point doubling is the addition of a point J on the elliptic curve to itself to obtain another point L on the same elliptic curve.
To double a point J to get L, i.e. to find L = 2J, consider a point J on an elliptic curve as shown in figure (a). If y coordinate of the point J is not zero then the tangent line at J will intersect the elliptic curve at exactly one more point L. The reflection of the point L with respect to x-axis gives the point L, which is the result of doubling the point J. Thus L = 2J. If y coordinate of the point J is zero then the tangent at this point intersects at a point at infinity O. Hence 2J = O when yJ = 0. This is shown in figure (b). Analytical explanation Consider a point J such that J = (xJ, yJ), where yJ 0 Let L = 2J where L = (xL, yL), Then xL = s2 2xJ yL = -yJ + s(xJ - xL) s = (3xJ2 + a) / (2yJ), s is the tangent at point J and a is one of the parameters chosen with the elliptic curveIf yJ = 0 then 2J = O, where O is the point at infinity.
16
4.3 EC on Prime field Fp The equation of the elliptic curve on a prime field Fp is y2 mod p= x3 + ax + b mod p, where 4a3 + 27b2 mod p 0. Here the elements of the finite field are integers between 0 and p1. All the operations such as addition, substation, division, multiplication involves integers between 0 and p 1. This is modular arithmetic and is defined in session 10.1. The prime number p is chosen such that there is finitely large number of points on the elliptic curve to make the cryptosystem secure. SEC specifies curves with p ranging between 112-521 bits . The graph for this elliptic curve equation is not a smooth curve. Hence the geometrical explanation of point addition and doubling as in real numbers will not work here. However, the algebraic rules for point addition and point doubling can be adapted for elliptic curves over Fp. 4.3.1 Point Addition Consider two distinct points J and K such that J = (xJ, yJ) and K = (xK, yK) Let L = J + K where L = (xL, yL), then xL = s2 - xJ xK mod p yL = -yJ + s (xJ xL) mod p s = (yJ yK)/(xJ xK) mod p, s is the slope of the line through J and K. If K = -J i.e. K = (xJ, -yJ mod p) then J + K = O. where O is the point at infinity. If K = J then J + K = 2J then point doubling equations are used. Also J + K = K + J 4.3.2. Point Subtraction Consider two distinct points J and K such that J = (xJ, yJ) and K = (xK, yK) Then J - K = J + (-K) where -K = (xk, -yk mod p) Point subtraction is used in certain implementation of point multiplication such as NAF [1]. 4.3.3Point Doubling Consider a point J such that J = (xJ, yJ), where yJ 0 Let L = 2J where L = (xL, yL), Then xL = s2 2xJ mod p yL = -yJ + s(xJ - xL) mod p5 s = (3xJ2 + a) / (2yJ) mod p, s is the tangent at point J and a is one of the parameters chosen with the elliptic curve If yJ = 0 then 2J = O, where O is the point at infinity.
17
4.4.3 Point Doubling Consider a point J such that J = (xJ, yJ), where xJ 0 Let L = 2J where L = (xL, yL), Then xL = s2 + s + a
18
yL = xJ2 + (s + 1)*xL s = xJ + yJ/ xJ, s is the tangent at point J and a is one of the parameters chosen with the elliptic curve If xJ = 0 then 2J = O, where O is the point at infinity.
.4.5 Data Types and Conversions The schemes specified in this document involve operations using several different data types. This section lists the different data types and describes how to convert one data type to another. Five data types are employed in this document: three types associated with elliptic curve arithmetic -integers, field elements, and elliptic curve points - as well as octet strings which are used to communicate and store information, and bit strings which are used by some of the primitives. Through out this document the above data types are regarded as abstract data types consisting of distinct sets of elements - so that, for example, an octet string is regarded as distinct from a bit string. This formalism helps to clarify the requirements placed on implementations and helps avoid subtle coding errors.Frequently it is necessary to convert one of the data types into another.
19
E : y2 =x3+a:x+b (mod p); a base point G = (xG;yG) on E(F p), a prime n which is the order of G, and an integer h which is the cofactor h = #E(F p)=n, subject to the following constraints: _ 4:a3+27:b2 6_ 0 (mod p). _ #E(F p) 6= p. _ pB 6_ 1 (mod n) for any 1 _ B < 20. _ h _ 4. 3. Output T = (p;a;b;G;n;h). This primitive allows any of the known curve selection methods to be used for example the methods based on complex multiplication and the methods based on general point counting algorithms. 5.1.1.2 Validation of Elliptic Curve Domain Parameters over F p Frequently it is either necessary or desirable for an entity using elliptic curve domain parameters over F p to receive an assurance that the parameters are validthat is that they satisfy the arithmetic requirements of elliptic curve domain parameterseither to prevent malicious insertion of insecure parameters, or to detect inadvertent coding or transmission errors. There are four acceptable methods for an entity U to receive an assurance that elliptic curve domain parameters over F p are valid. Only one of the methods must be supplied, although in many cases greater security may be obtained by carrying out more than one of the methods. The four acceptable methods are: 1. U performs validation of the elliptic curve domain parameters over F p itself using the validation Primitive. 2. U generates the elliptic curve domain parameters over F p itself using a trusted system using the primitive. 3. U receives assurance in an authentic manner that a party trusted with respect to Us use of the elliptic curve domain parameters over F p has performed validation of the parameters using the validation primitive. 4. U receives assurance in an authentic manner that a party trusted with respect to Us use of the elliptic curve domain parameters over F p generated the parameters using a trusted system using
21
the primitive. Usually when U accepts another partys assurance that elliptic curve domain parameters are valid, the other party is a CA.
5.1.2 Elliptic Curve Domain Parameters over F2m Elliptic curve domain parameters over F2m are a septuple: T = (m; f (x);a;b;G;n;h) consisting of an integer m specifying the finite field F2m, an irreducible binary polynomial f (x) of degree m specifying the representation of F2m, two elements a;b 2 F2m specifying the elliptic curve E(F2m) defined by the equation: y2+x:y = x3+a:x2+b in F2m; a base point G = (xG;yG) on E(F2m), a prime n which is the order of G, and an integer h which is thecofactor h = E(F2m)=n. Elliptic curve domain parameters over F2m precisely specify an elliptic curve and base point. This is necessary to precisely define public-key cryptographic schemes based on ECC.
22
5.3.1Symmetric Encryption Schemes The symmetric encryption schemes will be used by the Elliptic Curve Integrated Encryption Scheme .Symmetric encryption schemes are designed to be used by two entities a sender U and a recipient V when U wants to send a message M to V confidentially, and V wants to recover M. Here symmetric encryption schemes are described in terms of an encryption operation, a decryption operation, and associated setup and key deployment procedures. U and V should use the scheme as follows when they want to communicate. First U and V should use the setup and key deployment procedures to establish which options to use the scheme with, and to create a shared secret key K to control the encryption and decryption operations. Then each time U wants to send a message M to V, U should apply the encryption operation to M under the shared secret key K to compute the encryption or ciphertext C of M, and convey C to V. Finally when V receives C, V should apply the decryption operation to C under K to recover the message M. .3.8.1 Scheme Setup U and V should perform the following setup procedure to use a symmetric encryption scheme: U and V should establish which of the supported symmetric encryption schemes to use. Let ENC denote the encryption scheme chosen, and enckeylen denote the length in octets of the keys used by the scheme. 3.8.2 Key Deployment U and V should perform the following key deployment procedure to use the symmetric encryption scheme: U and V should establish a shared secret key K of length enckeylen octets. K should be chosen randomly or pseudorandomly. 3.8.3 Encryption Operation U should encrypt messages to send to V using the keys and parameters established during the setup procedure and the key deployment procedure as follows: Input: An octet string M which is the data to be encrypted. Output: An octet string C which is the ciphertext corresponding to M, or invalid.
24
Actions: Compute the ciphertext C as follows: 1. Convert M to a bit string M and K to a bit string K using the conversion routine. 2. Calculate the encryption C of M using the encryption operation of the selected symmetric encryption scheme under the shared secret key K. If the encryption operation outputs invalid, output invalid and stop. 3. Convert C to an octet string C using the conversion routine 4. Output the octet string C. 3.8.4 Decryption Operation V should decrypt ciphertext fromU using the keys and parameters established during the setup procedure and the key deployment procedure as follows: Input: An octet string C which is the ciphertext. Output: An octet string M which is the decryption of C, or invalid. Actions: Decrypt C as follows: 1. Convert C to a bit string C and K to a bit string K using the conversion routine. 2. Calculate the decryption M of C using the decryption operation of the selected symmetric encryption scheme under the shared secret key K. If the decryption operation outputs invalid, output invalid and stop. 3. Convert M to an octet string M using the conversion routine. 4. Output the octet string M.
25
Figure 3: Encryption/Decryption results on a 3.3KB file. The initial goal to be able to generate random curves in only a few seconds is attained, looking at the results for key sizes up to about 500 bits. As an additional step for curve
26
generation, an early-abort strategy to skip insecure curves [9] would be needed. As described in the reference, a single point counting run dominates the early-abort step, from which we can of the random curve generation approach with AGM.
27
Conclusion
After examining the security, implementation and performance of ECC applications on various mobile devices, we can conclude that ECC is the most suitable PKC scheme for use in a constrained environment. Its efficiency and security makes it an attractive alternative to conventional cryptosystems, like RSA and DSA, not just in constrained devices, but also on powerful computers. It is, without a doubt, fast being recognized as a powerful cryptographic scheme. We have implemented the GHS Weil desent attack and the Gaudry- Enge index-calculus method for the HCDLP. We were successful in solving specic discrete logarithm problems in elliptic curves over F262 , F293 and F2124 . Our experiments, though far from being optimized, indicate that ourspecic logarithm problem in F2155 is tractable. The ECDLP instance over F2155 is the rst concreteinstance of the ECDLP which resists all previously known attacks, but which can be solved using the Weil descent attack methodology of Frey. While the GHS attack is only known to apply to an insignicant proportion of all elliptic curves over F2155 , our results provide some evidence that elliptic curves over F2155 should be used with caution and preferably avoided altogether. We emphasize that our computational results cannot be extended to solve cryptographically.
28
REFERANCE
[1] Ieee p1363/d8 annex e, http://grouper.ieee.org/groups/1363/P1363/draft.html, 1998. [2] Ieee p1363/d13 annex a, http://grouper.ieee.org/groups/1363/P1363/draft.html, 1999. [3] Schneier, B. Elliptic Curve Public Key Cryptography. Cryptogram ENewsletter. November 15, 1999 <http://www.counterpane.com/cryptogram- 9911.html#EllipticCurvePublicKeyCryptography> [4] Remarks on the Security of the Elliptic Curve Cryptosystem. Certicom, whitepaper. September 1997. http://www.certicom.com/research/wecc3.html [5]Certicom Press Release. Certicom Announces Elliptic Curve Cryptosystem (ECC) Challenge Winner. November 6, 2002. <http://www.certicom.com/about/pr/02/021106_ecc_winner.html>
29
APPENDIX
List of figure FIG. NO . 1 2 3. 4. NAME OF FIGURE ELLIPTICAL CURVE COMPARISION OF SECURITY LEVEL KEY PAIR GEN. WITH PRIME ND BINARY CURVE ENCRIPTION AND DECRIPTION RESULT PAGE NO. 3 8 23 27
30