Cryptograpic Protocols Based on Elliptic Curves

Rana Barua

Indian Statistical Institute Kolkata

July 15, 2011

ElGamal Public Key Cryptosystem, 1984

• Key Generation:

1 Choose a cyclicG =<g >of prime orderp

2 choosexA∈R Zp and computeyA=g^xA

3 Public key is (g,yA) and secret key isxA.

• Encryption: Given messagem∈G,

1 chooser ∈R Z_p and computeh=g^r

2 send ciphertext (h,y_A^r.m)

• Decryption: On receiving ciphertext (h,z), compute m= (h^xA)⁻¹.z

Motivation for ECC

• Note that the security of ElGamal depends on the Discrete Log Problem in G. So, in general,p should be ”large”. e.g. if G is (a subgroup of) Z_q^∗, then one takes p is 512 0r 1024 bits.

• Question: Can one take a relatively smaller group, and yet the discrete log problem is equally hard.

• In 1985, Koblitz (and independently, Miller) proposed the use of elliptic curve groups over a field of much smaller size.

• In fact, one can show that for 128-bit security one needs an elliptic curve over a field of order 2²⁵⁶, whereas RSA would need about 3072-bit keys.(Similarly for DSA basded on ElGamal)

Elliptic Curve over a Finite Field

• An elliptic curve E over a finite fieldK =F_q (Z_p,p>3) is given by an equation

y² =x³+ax +b, a,b ∈K, where 4a³+ 27b² 6= 0

• The set of K-rational points on E is

E(K) ={(x,y)∈K×K :y² = x³+ax +b} ∪ {O}.

Elliptic Curve over a Finite Field

The setE(L) is an abelian group under the “chord-and-tangent law”. ConsiderE/K :y² =x³+ax +b. Addition formulae are as follows:

1 P +∞=∞+P =P, for all P ∈E(L).

2 −∞=∞.

3 IfP = (x,y)∈E(L), then −P = (x,−y).

4 IfQ =−P, thenP +Q =∞.

5 IfP = (x₁,y₁)∈E(L),Q = (x₂,y₂)∈E(L),P 6=−Q, then P +Q = (x₃,y₃), where x₃ =λ²−x₁−x₂,

y3=λ(x1−x3)−y1, and λ = ^y_x^2−y1

2−x₁ if P 6=Q; λ = ^3x_2y^12+a

1 if P =Q.

Elliptic Curve over a Finite Field

SupposePandQare both points on the elliptic curve thenP + Qis always another point on the elliptic curve which is defined as follows. Draw a line throughPandQ(if P = Q take the Tangent line). The line intersects the curve in a third Point. Reflect that point through the x-axis to findR = P + Q

Elliptic Curve over a Finite Field

• (Hasse’s Theorem) #E(Fq) =q+ 1−t,|t| ≤2√ q. Consequently, #E(Fq)≈q.

• (Schoof’s Algorithm) #E(Fq) can be computed in polynomial time.

• – LetE be an elliptic curve defined overFq. Then E(Fq)∼=Z_n1⊕Z_n2, wheren₂|n₁ and n₂|(q−1).

• – E(Fq) is cyclic if and only ifn2= 1.

• – P ∈E is ann-torsion point ifnP =∞ andE[n] is the set of all n-torsion points.

• – If gcd(n,q) = 1, then E[n]∼=Zn⊕Zn

Some Hardness Assumptions

LetG =<P >be a group of prime orderq (e.g. a subgroup of a suitable elliptic curve)

• Discrete Log Problem (DLP) in G : Instance : (P,aP) for somea∈Z_q^∗. Output : a.

• Computational Diffie-Hellman (CDH) problem inG : Instance : (P,aP,bP) for some a,b ∈Z_q^∗.

Output : abP.

The success probability of any probabilistic, polynomial-time algorithmmathcalAin solving CDH problem inG is defined to be :

Succ^CDH_A,G = Prob[A(P,aP,bP) =abP :a,b∈_RZ_q^∗].

CDH assumption : For every probabilistic, polynomial-time algorithmA, Succ^CDH_A,G is negligible.

Some Hardness Assumptions

Decisional Diffie-Hellman (DDH) problem inG : Instance: (P,aP,bP,cP) for some a,b,c ∈Z_q^∗. Output: yes ifc =abmodq and output no otherwise.

The advantage of any probabilistic, polynomial-time, 0/1-valued algorithmAin solving DDH problem inG₁ is defined to be :

Adv^DDH_A,G =|Prob[A(P,aP,bP,cP) = 1]−Prob[A(P,aP,bP,abP) = 1] :a,b,c∈_RZ_q^∗|.

DDH assumption : For every probabilistic, polynomial-time, 0/1-valued algorithmA, Adv^DDH_A,G is negligible.

ECDSA

Setup

• Select an elliptic curve E defined overZ_p. The number of points in E(Z_p) should be divisible by a large primen.

• Select a point P ∈E(Z_p) of order n.

• Select an integerd in the interval [1,n−1].

• ComputeQ =dP .

• A’s public key is (E;P;n;Q); A’s private key isd.

ECDSA(cont)

ECDSA signature generation. To sign a message m, A does the following:

• Select a random integer k in the interval [1,n−1].

• ComputekP = (x1;y1) andr =x1modn.

• Computek⁻¹modn.

Computes =k⁻¹[h(m) +dr] modn, whereh is the Secure Hash Algorithm (SHA-1).

• The signature for the message m is the pair of integers (r;s).

ECDSA(cont)

ECDSA signature verification. To verify A’s signature (r;s) on m, B should:

• Computew =s⁻¹modn andh(m).

• Computeu1 =h(m)w modn andu2=rw modn.

• Computeu1P+u2Q = (x0;y0) andv =x0 modn.

• Accept the signature if and only if v =r.

the parametern should have about 160 bits. If this is the case, then ECDSA signatures have size 320 bits (same as DSA).

Another Motivation for ECC

The concept of identity-based cryptosystem is due to Shamir (Crypto 84). Such a scheme has the property that a user’s public key is an easily calculated function of his identity, while a user’s private key can be calculated for him by a trusted authority, called private key generator (PKG).

Earlier, Weil pairing and Tate pairing of algebraic curves were used in cryptography for attacks on ECDLP by reducing the discrete logarithm problem on some elliptic curves to the discrete logarithm problem in a finite field. In recent years, bilinear pairings have found positive application in cryptography to construct new ID-based cryptographic primitives.

Joux [?], in 2000, showed that the Weil pairing can be used in a protocol to construct a three-party one-round Diffie-Hellman key agreement. This was one of the breakthroughs in key agreement protocols.

Bilinear Map

LetG₁,G₂ be two groups of the some large prime orderq.

LetG1 =<P >. (aP denotes P added to itself a times).

Assume that discrete logarithm problem (DLP) is hard in bothG₁ andG₂.

A mappinge :G₁²−→G2 satisfying the following properties is called a cryptographic bilinear map.

(Bilinearity) : e(aP,bQ) =e(P,Q)^ab for all P,Q ∈G₁ anda,b∈Z_q^∗.

(Non-degeneracy): e(P,P)6= 1. i.e. if P is a generator of G1, then e(P,P) is a generator of G2. (Computability) : There exists an efficient algorithm to computee(P,Q) for all P,Q ∈G₁. Modified Weil Pairing [?] and Tate Pairing are examples of

cryptographic bilinear maps.

Identity Based Encryption (IBE)

• Setup : Choose s∈_RZ_q^∗ and setP_pub =sP. Choose cryptographic hash functionsH₁:{0,1}^∗−→G₁^∗ and H2:G2 −→ {0,1}ⁿ,n is the bit length of messages. The master key is s and the global public key is P_pub.

• Extract : Given a public identity ID∈ {0,1}^∗, compute the public keyQ_ID=H₁(ID)∈G₁ and the private keyS_ID=sQ_ID.

Identity Based Encryption (IBE)(cont.)

• Encrypt : Choose a randomr ∈Z_q^∗, set the ciphertext for the message M to beC =hrP,M ⊕H₂(g_ID^r )i where

g_ID=e(Q_ID,P_pub).

• Decrypt : GivenC =hU,Vi, computeV ⊕H₂(e(S_ID,U)).

• Assumption :

BDH problem is hard.

Identity Based Encryption (IBE)(cont.)

Security :

This is the basic scheme. Security against adaptive chosen cipher text attack in the random oracle model under the BDH assumption is obtained after the Fujisaki-Okamoto [?] transformation.