4.
Mathematical Background for
Cryptography
• Modulo Arithmetic
d=n*q + r, 0 ≤r<n.
we say this as “d is equal to r modulo n”
r ≡ d (mod n)
5 ≡ 26 (mod 7)
06-Nov-2013
ECC and Zero Knowledge Proof
4
5.
Group
• Basic algebraic structure
• A pair <G,*>, where G is a set and * is a binary
operation such that the following hold
Closure
Associativity
Identity Element
Inverse
< Zn, +n >
06-Nov-2013
ECC and Zero Knowledge Proof
5
6.
Ring
A triplet < R, +, *>, where + and * are binary operations and R
is a set satisfying the following properties:
<R, +> is a commutative group
For all x, y, and z in R
x*y is also in R
x*(y*z)=(x*y)*z
x*(y+z)= (x*y)+(x*z )
< Zn, +n, *n>
06-Nov-2013
ECC and Zero Knowledge Proof
6
7.
Fields
• <R, +, * > is a commutative ring with :
R has a multiplicative identity
Each element, x, in R (except for 0) has an
inverse element in R , denoted by x-1
<Zn, +n, *n > where n is prime.
06-Nov-2013
ECC and Zero Knowledge Proof
7
8.
Cryptography - Basics
• Private Key Cryptography
• Public Key Cryptography
06-Nov-2013
ECC and Zero Knowledge Proof
8
9.
Public-Key Cryptosystems
Authentication: Only A can
generate the encrypted message
06-Nov-2013
ECC and Zero Knowledge Proof
Secrecy: Only B can Decrypt
the message
9
10.
Public-Key Cryptography
06-Nov-2013
ECC and Zero Knowledge Proof
10
11.
Public-Key Cryptography
06-Nov-2013
ECC and Zero Knowledge Proof
11
12.
RSA
•
•
•
•
•
Choose two large primes p and q
n=p*q
φ(n)= (p-1)*(q-1)
Choose e, such that gcd(e, φ(n)) = 1
Compute d, such that d = e-1mod φ(n)
C = Me mod n
M= Cd mod n
06-Nov-2013
ECC and Zero Knowledge Proof
12
13.
Discrete Logarithmic Problem
y = gx mod p
Challenge :
Given y, g and p (g and p very large) it is not
VERY EASY(impossible) to calcuate x.
06-Nov-2013
ECC and Zero Knowledge Proof
13
14.
Diffie-Hellman Key Exchange
ga mod p
gb mod p
K = (gb mod p)a = gab mod p
06-Nov-2013
K = (ga mod p)b = gab mod p
ECC and Zero Knowledge Proof
14
15.
El Gamal Encryption
•
•
•
•
K=gamodp. (p,g,K) public and (a) private
Choose r such that gcd(r,p-1)=1
C1= gr mod p
C2= (m*Kr) mod p... m is the message
Sends(C1, C2)
• To Decrypt C1-a*C2 mod p =m
06-Nov-2013
ECC and Zero Knowledge Proof
15
17.
Elliptic Curve Cryptography
• Elliptic Curve (EC) systems as applied to
cryptography were first proposed in 1985
independently by Neal Koblitz and Victor
Miller.
• The discrete logarithm problem on elliptic
curve groups is believed to be more difficult
than the corresponding problem in (the
multiplicative group of nonzero elements of)
the underlying finite field.
06-Nov-2013
ECC and Zero Knowledge Proof
17
18.
What Is Elliptic Curve Cryptography
(ECC)?
• Elliptic curve cryptography [ECC] is a public-key
cryptosystem just like RSA, Rabin, and El Gamal.
• Every user has a public and a private key.
– Public key is used for encryption/signature verification.
– Private key is used for decryption/signature generation.
• Elliptic curves are used as an extension to other
current cryptosystems.
06-Nov-2013
ECC and Zero Knowledge Proof
18
19.
Using Elliptic Curves In Cryptography
• The central part of any cryptosystem involving elliptic
curves is the elliptic group.
• All public-key cryptosystems have some underlying
mathematical operation.
– RSA has exponentiation (raising the message or ciphertext
to the public or private values)
– ECC has point multiplication (repeated addition of two
points).
06-Nov-2013
ECC and Zero Knowledge Proof
19
20.
General form of a EC
• An elliptic curve is a plane curve defined by an
equation of the form
y x ax b
2
3
Examples
06-Nov-2013
ECC and Zero Knowledge Proof
20
21.
EC as a group
An Elliptic Curve is a curve given by an equation
y2 = f(x)
Where f(x) is a square-free (no double roots) cubic or a quartic polynomial
y2 = x3 + ax + b
4a3 + 27b2 ≠ 0
EC(-3,2)
So y2 = x3 is not an elliptic curve, but y2 = x3-1 is
06-Nov-2013
ECC and Zero Knowledge Proof
21
22.
Elliptical Curve as a Group - Properties
• P + Q = Q + P (commutativity)
• (P + Q) + R = P + (Q + R) (associativity)
• P + O = O + P = P (existence of an identity element)
• there exists ( − P) such that − P + P = P + ( − P)
= O (existence of inverses)
06-Nov-2013
ECC and Zero Knowledge Proof
22
23.
Elliptic Curve Picture
y
• Consider elliptic curve
E: y 2 = x 3 - x + 1
P2
P1
x
R
06-Nov-2013
• If P 1 and P 2 are on E , we can
define
R = P1 + P2
as shown in picture
• Addition is all we need
ECC and Zero Knowledge Proof
23
24.
Case 1 : R’ ≠P1, R’≠ P2, R’≠ 0
•
•
•
•
•
•
•
P1+P2 = -R’ = R
R = (x3,y3)
Let y=mx+c
m= (y2-y1)/(x2-x1)
y2 = (mx+c)2 = m2x2+2mxc+c2
x3+ax+b = m2x2+2mxc+c2
x3 - m2x2 + (a-2mc)x + (b- c2 ) = 0
06-Nov-2013
ECC and Zero Knowledge Proof
24
26.
Case 2 : P1= -P2 or R’ = 0
P1
P2
06-Nov-2013
ECC and Zero Knowledge Proof
26
27.
Case 3: R’=P1 or R’=P2
Tangent Line to EC at P2
R
P1
P2
06-Nov-2013
ECC and Zero Knowledge Proof
27
28.
Case 4 : Doubling of Point P
Tangent Line to EC at P
R
P
2*P
06-Nov-2013
ECC and Zero Knowledge Proof
28
29.
P1=P2
•
•
•
•
•
2y * dy/dx =3x2 + a
Slope of the tangent m = dy/dx = (3x2 + a)/2y
At (x1,y1) = (3x12 + a)/2y1
x3 = m2 –2x1
y3= -y1 +m(x1-x3)
06-Nov-2013
ECC and Zero Knowledge Proof
29
30.
Work Out !
• EC(-1,1).
A(1,-1) B( 1/4, 7/8). A+B = ?
• m = (-1-7/8)/(1-1/4) = -5/2
• x3 = (-5/2)2 -1 -1/4 =5
• y3 = -(-1)+(-5)/2*(1-5) = 11
(5,11)
06-Nov-2013
ECC and Zero Knowledge Proof
30
31.
Elliptic Curve over Prime Fields
• Points on the curve y2 =x3 +2x +4
0
(0,2) (0,11)
(2,4) (2,9)
(5,3) (5,10)
(7,6) (7,7)
(8,5) (8,8)
(9,6) (9,7)
(10,6) (10,7)
(12,1) (12,11)
06-Nov-2013
ECC and Zero Knowledge Proof
31
32.
Hasse’s Theorem
p +1 -2√p ≤ #EC(Fp) ≤ p+1+2√p
Establishes the tight bounds on the number of
points on the EC
06-Nov-2013
ECC and Zero Knowledge Proof
32
33.
Work Out!
• EC(2,4) over F13
• A = (2,4) B = (8,5) . Compute A+B
m = (5-4)/(8-2) mod 13 =11
x3 = (112 -2 -8) mod 13 = 7
y3 = (-4 +11*(2-7)) mod 13 = 6
A+B =(7,6)
• Compute 2A = (8,5)
06-Nov-2013
ECC and Zero Knowledge Proof
33
34.
ECs Over Binary Fields
• y2+xy =x3 +ax2 +b, b!=0
• A=(x,y) : -A = (x,x+y)
• For adding two points
m= (y2+y1)/(x2+x1)
x3 = m2+m +x1 +x2 + a
y3 = m(x1+x3) +x3 +y1
• Point doubling
m = x1 +(y1/x1)
x3 = m2+m+a
y3 = x12 +(m+1)*x3
06-Nov-2013
ECC and Zero Knowledge Proof
34
35.
Discrete Logarithm Problem on
Elliptic Curves
• The problem of computing k given the EC
parameters, G and kG, is called the discrete
log problem for points on an elliptic curve.
• This problem is known to be infeasible in EC
groups beyond 2120 elements
06-Nov-2013
ECC and Zero Knowledge Proof
35
36.
Computing kG
• kG = G + G + ...+ G k times
• To compute 168G , compute the series obtained
by doubling the point,
2G, 4G, 8G, 16G, 32G,...
• Now 168 = 10101000 in binary
168G = 128G+32G+8G
O(log k)
06-Nov-2013
ECC and Zero Knowledge Proof
36
37.
Diffie-Hellman Modified
• Select <p,a,b,G,n,h>
• Alice chooses x and send xG
• Bob chooses y and send yG
• Alice on receipt compute x(yG) =xyG
• Bob on receipt compute y(xG) = xyG
06-Nov-2013
ECC and Zero Knowledge Proof
37
38.
El Gamal Modified
•
•
•
•
•
•
k= aG
Choose r; Compute rG
Compute m + rk
Send <rG, m + rk>
To decrypt a(rG) = rk
m + rk – rk = m
06-Nov-2013
ECC and Zero Knowledge Proof
38
39.
Comparison of key sizes for same
level of security
ECC
RSA
• 110
• 512
• 163
• 1024
• 256
• 3072
• 384
• 7680
• 512
• 15360
06-Nov-2013
ECC and Zero Knowledge Proof
39
40.
RSA vs ECC Timings
• To encrypt ECC takes nearly 10 times of that
of RSA upto a key size of 384(ECC) and
7680(RSA).
• For Decryption RSA takes more time for a key
size higher than 1024 when compared to ECC
(163)
06-Nov-2013
ECC and Zero Knowledge Proof
40
41.
Applications of ECC
• Many devices are small and have limited storage and
computational power
• Where can we apply ECC?
–
–
–
–
Wireless communication devices
Smart cards
Web servers that need to handle many encryption sessions
Any application where security is needed but lacks the
power, storage and computational power that is
necessary for our current cryptosystems
06-Nov-2013
ECC and Zero Knowledge Proof
41
42.
A Conference on ECC
• ECC 2013:
https://www.cosic.esat.kuleuven.be/ecc2013
06-Nov-2013
ECC and Zero Knowledge Proof
42
44.
Zero Knowledge Proofs (ZKP)
• Goldwasser, Micali, and Rackoff, 1985.
• ZKP instance of Interactive Proof System
• Interactive Proof Systems
– Challenge-Response Authentication
– Prover and Verifier
– Verifier Accepts or Rejects the Prover
06-Nov-2013
ECC and Zero Knowledge Proof
44
45.
ZKP
• Zero knowledge Transfer between the Prover and
the Verifier
• The verifier accepts or rejects the proof after
multiple challenges and responses
• Probabilistic Proof Protocol
• Overcomes Problems with Password Based
Authentication
06-Nov-2013
ECC and Zero Knowledge Proof
45
46.
Zero Knowledge Proofs
•
•
•
•
•
•
Introduction
Properties of ZKP
Advantages of ZKP
Examples
Fiat-Shamir Identification Protocol
Real-Time Applications
06-Nov-2013
ECC and Zero Knowledge Proof
46
47.
Zero Knowledge Proofs
(ZKP)
• Goldwasser, Micali, and Rackoff, 1985.
• ZKP instance of Interactive Proof System
• Interactive Proof Systems
– Challenge-Response Authentication
– Prover and Verifier
– Verifier Accepts or Rejects the Prover
06-Nov-2013
ECC and Zero Knowledge Proof
47
48.
Properties of ZKP
• Completeness
– Succeeds with high probability for a true assertion
given an honest verifier and an honest prover.
• Soundness
– Fails for any other false assertion, given a
dishonest prover and an honest verifier
• Zero Knowledge
06-Nov-2013
ECC and Zero Knowledge Proof
48
49.
Advantages of ZKP
•
•
•
•
As name Suggests – Zero Knowledge Transfer
Computational Efficiency – No Encryption
No Degradation of the protocol
Based on problems like discrete logarithms and
integer factorization
06-Nov-2013
ECC and Zero Knowledge Proof
49
50.
Classic Example
• Ali Baba’s Cave
Alice has to convince Bob She knows the secret to
open the cave door without telling the secret
(source: http://www.rsasecurity.com/rsalabs/faq/2-1-8.html)
06-Nov-2013
ECC and Zero Knowledge Proof
50
51.
Fiat-Shamir Identification Protocol
• 3 Message Protocol
• Alice A, the Prover and Bob B, the Verifier
A random modulus n, product of two large prime numbers p
and q generated by a trusted party and made public
• Prover chooses secret s relatively prime to n
• prover computes v = s2 mod n, where v is the public key
A B
A B
A B
06-Nov-2013
: x = r2 mod n
: e { 0,1}
: y = r * se mod n. Is y2 = x * ve ?
ECC and Zero Knowledge Proof
51
52.
Fiat-Shamir Identification Protocol (contd)
• Alice chooses a random number r (1 r n-1)
• Sends to Bob x = r2 mod n – commitment
• Bob randomly sends either a 0 or a 1 ( e { 0,1}) as
his challenge
• Depending on the challenge from Bob, Alice
computes the response as y = r if e = 0 or otherwise y
= r*s mod n
• Bob accepts the response upon checking y2 x * ve
mod n
06-Nov-2013
ECC and Zero Knowledge Proof
52
53.
Fiat-Shamir Identification Protocol (contd)
• After many iterations, with a very high probability Bob can verify
Alice’s identity
• Alice’s response does not reveal the secret s (with y = r or y = r* s mod
n)
• An intruder can prove Alice’s identity without knowing the secret, if
he knows Bob’s challenge in advance:
– Generate random r
– If expected challenge is 1, send x = r2/v mod n as commitment,
and y = r as response
– If expected challenge is 0, send x = r mod n as commitment
• Probability that any Intruder impersonating the prover can send the
right response is only ½
• Probability reduced as iterations are increased
• Important - Alice should not repeat r
06-Nov-2013
ECC and Zero Knowledge Proof
53
54.
Applications
• Watermark Verification
– Show the presence of watermark without
revealing information about it
– prevents from removing the watermark and
reselling multiple duplicate copies
• Others – e-voting, e-cash etc.
06-Nov-2013
ECC and Zero Knowledge Proof
54
55.
References
• Network Security and Cryptography, Bernard Menezes
• I. Blake, G. Seroussi, and N. Smart, Elliptic Curves in Cryptography, London
Mathematical Society 265, Cambridge University Press, 1999
• Overview of Zero-Knowledge Protocols, Jeffrey Knapp
• http://en.wikipedia.org/wiki/Elliptic_curve_cryptography as on November
4, 2013
• Koblitz, N. (1987). "Elliptic curve cryptosystems". Mathematics of
Computation 48 (177): 203–209. JSTOR 2007884
• Menezes, A.; Okamoto, T.; Vanstone, S. A. (1993). "Reducing elliptic curve
logarithms to logarithms in a finite field". IEEE Transactions on Information
Theory 39
• K. Malhotra, S. Gardner, and R. Patz, Implementation of Elliptic-Curve
Cryptography on Mobile Healthcare Devices, Networking, Sensing and
Control, 2007 IEEE International Conference on, London, 15–17 April 2007
Page(s):239–244
06-Nov-2013
ECC and Zero Knowledge Proof
55
56.
References
• D. Hankerson, A. Menezes, and S.A. Vanstone, Guide to Elliptic Curve
Cryptography, Springer-Verlag, 2004
• http://en.wikipedia.org/wiki/Zero-knowledge_proof as on November 4,
2013
• Stinson, Douglas Robert (2006), Cryptography: Theory and Practice (3rd
ed.), London: CRC Press, ISBN 978-1-58488-508-5
• Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004). "PRIMES is in P".
Annals of Mathematics 160 (2): 781–793.
• Theory of Computing Course, Cornell University 2009, Zero knowledge
proofs
• A Survey of Zero-Knowledge Proofs with Applications to Cryptography,
Austin Mohr Southern Illinois University at Carbondale
06-Nov-2013
ECC and Zero Knowledge Proof
56
Be the first to comment