Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel...
-
date post
19-Dec-2015 -
Category
Documents
-
view
220 -
download
0
Transcript of Efficient generation of cryptographically strong elliptic curves Shahar Papini Michael Krel...
1
Project in Computer Security
Efficient generation of cryptographically strong elliptic
curves
Shahar PapiniMichael Krel Instructor : Barukh
Ziv
2
Preface
The project objective is to provide an efficient algorithm for creation of cryptographically strong elliptic curve for various cryptographical purposes. (Basically anything that uses a group structure and relies on the difficulty of discrete logarithm)
3
Introduction
Public-key cryptography is based on the intractability of certain mathematical problems. Early schemes such as Diffie-Hellman rely on the difficulty of the Discrete Logarithm Problem for a finite field F[p].
Although no known polynomial time algorithms are known for this problem, a few sub-exponential algorithms exist. That’s where Elliptic curves come into the picture.
4
Introduction
Elliptic curve introduce a group structure, where no known sub-exponential algorithms are known for the Discrete Logarithm Problem. Moreover, the basic action on this group is much more complex then in the F[p] case.
For comparison between encryption using F[p] (e.g. RSA), and using EC, to achieve the same level of security we will need 256-bit key size for EC, where RSA will need 3072-bit public keys.
5
Elliptic Curves
An elliptic curve is the locus of points over the field (usually F[p]) which hold the equation :
These points form a group under the following group action (for distinct x values):
BAxxy 32
13112
1221
2
12
122211 )(,),(),( yxx
xx
yyxx
xx
yyyxyx
7
Strong Elliptic Curves
The strength of an elliptic curve is determined by its order.
Elliptic curve will be called strong if its order is n∙p where p is a large prime and n is a small number (usually less than 10).
Finding the order of an elliptic curve is difficult problem.
The goal of our project is to be able to generate such elliptic curves in an efficient manner.
8
Approaches
There are two main approaches to the problem of generating strong elliptic curves:
Point counting: The idea behind this approach is to randomly generate curves of the desired field, and count its order using Point Counting algorithms(usually slow).
Complex multiplication: Here, we try to anticipate from advanced the desired order of the curve, and using this, generate a curve accordingly. Unlike the former method, we will not be able to generate every possible curve, only curves from some constrained subset.
9
Chosen approach
We chose the Complex Multiplication approach. We had a few reasons:
Point counting algorithms are slower than the CM algorithms and since we want the fastest way to create elliptic curve we must choose the faster method.
We saw that we have more room for exploring the CM algorithm.
10
Project Goals
Generation of strong elliptic curves of 200-300 bit in a few seconds.
Encryption and decryption of data around 3 kilobytes in less than 5 seconds.
11
ImplementationPoint Representation
There are three ways to represent points on the elliptic curve.
1. The standard method is to save the coordinates as they are (X,Y) that they hold the elliptic curve equation:
2. The Jacobian projective coordinates that save three numbers for each point (X,Y,Z) where the standard coordinates are (X/Z²,Y/Z³).
3. The compressed method which saves only sign and X value. From the equation we can calculate Y². There are two corresponding Y values, that differ by sign alone. So, we keep the sign as well.
BAxxy 32
12
ImplementationPoint Representation
We used the jacobian method for all the computations for points on the curve. In this method the calculations are more efficient than in the other methods.
In the encryption the cipher text (represented by group points) we used compressed coordinates in order to reduce the file size.
13
ImplementationComplex Multiplication
General idea: with a given prime P and a negative Discriminant D we seek a solution for the diophantic equation :
If a solution exists, then we can construct two elliptic curves of orders
If one of the orders is cryptographically strong we construct an elliptic curve with such order using a root modulo p of the Hilbert class polynomial corresponding to D.
224 Dvup
up 1
14
ImplementationClass polynomials
Calculating Hilbert class polynomials takes a great amount of time since the coefficients are very big numbers (magnitude of P).
To avoid that problem we constructed Weber class polynomials, found a root modulo P and converted it to a root modulo P of the corresponding Hilbert class polynomial.
Using the Weber polynomials we avoid the coefficients problem since the Weber coefficients are much smaller.
15
ImplementationEncryption & Decryption
We use the El-Gamal algorithm. To generate a key, first find a point P on
an elliptic curve. Then generate a random integer s. (P, s) is the private key. (P, sP) is the public key. To send a message M, one finds a random integer k, and transmits (M+k(sP), kP). To decrypt, we calculate (M+k(sP))–s(kP).
16
Key generation
Pick a random prime p
Pick a proper descriminant Dless than 2000
Solve 4p=u 2-Dv 2
Check if either p-1+u or p-1-uis a strong order
Calculate Weber polynomialof order D, modulo p
Find a root and transform intoa Hilbert polynomial root
Find corresponding curveparameters
Find a point on the curvewith a large order
Out of proper D values
No solution
No
18
Results
1 2 3 4 5 6 7 8 9 10 110
1
2
3
4
5
6
7
8
9
2.7
1.6
2.9
3.73.73.3
3.5
7.87.5
0.81.1
0.8
1.4
0.80.90.9
2.1
2.6
0.30.30.20.40.3
0.50.40.60.6
200b300b400b
Max Divisor
Seconds
EC generation time
19
Results
0 500 1000 1500 2000 2500 3000 3500 4000 45000
1
2
3
4
5
6
7
Encryption time
200b300b400b
Message size in bytes
Seconds
20
Results
0 500 1000 1500 2000 2500 3000 3500 4000 45000
0.5
1
1.5
2
2.5
3
3.5
Decryption time
200b300b400b
Message size in bytes
Seconds
21
Platform
The project is designed to work on Windows and we written in C++.
We used two external libraries for cpp: NTL which handles big integers and integers
modulo P. We used this library since we needed to handle with 200-300 bit numbers.
ARPREC which handles big floats with arbitrary precision. This library handles with complex numbers which we use to construct Weber class polynomials.
22
Bibliography
Guide To Elliptic Curve Cryptography – Hankerson Prime numbers a computational perspective -
Crandall Elliptic Curves Number Theory and Cryptography -
Lawrence C. Washington On the Use of Weber Polynomials in Elliptic Curve
Cryptography – Konstantinou, Stamatiou , Zaroliagis Elliptic curves and primality proving – Atkin, Morain A Course in Computational Algebraic Number
Theory - Henri Cohen On the Efficient Generation of Elliptic Curves over
Prime Fields - Konstantinou, Stamatiou , Zaroliagis IEEE P1363 / D13