• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Elliptic curve cryptography and zero knowledge proof
 

Elliptic curve cryptography and zero knowledge proof

on

  • 66 views

Faculty Development Programme - College of Engineering Cherthala

Faculty Development Programme - College of Engineering Cherthala

Statistics

Views

Total Views
66
Views on SlideShare
66
Embed Views
0

Actions

Likes
0
Downloads
8
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Elliptic curve cryptography and zero knowledge proof Elliptic curve cryptography and zero knowledge proof Presentation Transcript

    • Elliptic Curve Cryptography and Zero Knowledge Proof Nimish Joseph
    • AGENDA • • • • • • Mathematical Foundations Public Key Cryptography Elliptic Curve Elliptic Curve Cryptography Elliptic Curve over Prime Fields Zero Knowledge Proof 06-Nov-2013 ECC and Zero Knowledge Proof 2
    • Let’s Build the Foundation!
    • Mathematical Background for Cryptography • Modulo Arithmetic d=n*q + r, 0 ≤r<n. we say this as “d is equal to r modulo n” r ≡ d (mod n) 5 ≡ 26 (mod 7) 06-Nov-2013 ECC and Zero Knowledge Proof 4
    • Group • Basic algebraic structure • A pair <G,*>, where G is a set and * is a binary operation such that the following hold Closure Associativity Identity Element Inverse < Zn, +n > 06-Nov-2013 ECC and Zero Knowledge Proof 5
    • Ring A triplet < R, +, *>, where + and * are binary operations and R is a set satisfying the following properties: <R, +> is a commutative group For all x, y, and z in R x*y is also in R x*(y*z)=(x*y)*z x*(y+z)= (x*y)+(x*z ) < Zn, +n, *n> 06-Nov-2013 ECC and Zero Knowledge Proof 6
    • Fields • <R, +, * > is a commutative ring with : R has a multiplicative identity Each element, x, in R (except for 0) has an inverse element in R , denoted by x-1 <Zn, +n, *n > where n is prime. 06-Nov-2013 ECC and Zero Knowledge Proof 7
    • Cryptography - Basics • Private Key Cryptography • Public Key Cryptography 06-Nov-2013 ECC and Zero Knowledge Proof 8
    • Public-Key Cryptosystems Authentication: Only A can generate the encrypted message 06-Nov-2013 ECC and Zero Knowledge Proof Secrecy: Only B can Decrypt the message 9
    • Public-Key Cryptography 06-Nov-2013 ECC and Zero Knowledge Proof 10
    • Public-Key Cryptography 06-Nov-2013 ECC and Zero Knowledge Proof 11
    • RSA • • • • • Choose two large primes p and q n=p*q φ(n)= (p-1)*(q-1) Choose e, such that gcd(e, φ(n)) = 1 Compute d, such that d = e-1mod φ(n) C = Me mod n M= Cd mod n 06-Nov-2013 ECC and Zero Knowledge Proof 12
    • Discrete Logarithmic Problem y = gx mod p Challenge : Given y, g and p (g and p very large) it is not VERY EASY(impossible) to calcuate x. 06-Nov-2013 ECC and Zero Knowledge Proof 13
    • Diffie-Hellman Key Exchange ga mod p gb mod p K = (gb mod p)a = gab mod p 06-Nov-2013 K = (ga mod p)b = gab mod p ECC and Zero Knowledge Proof 14
    • El Gamal Encryption • • • • K=gamodp. (p,g,K) public and (a) private Choose r such that gcd(r,p-1)=1 C1= gr mod p C2= (m*Kr) mod p... m is the message Sends(C1, C2) • To Decrypt C1-a*C2 mod p =m 06-Nov-2013 ECC and Zero Knowledge Proof 15
    • Elliptic Curve Cryptography
    • Elliptic Curve Cryptography • Elliptic Curve (EC) systems as applied to cryptography were first proposed in 1985 independently by Neal Koblitz and Victor Miller. • The discrete logarithm problem on elliptic curve groups is believed to be more difficult than the corresponding problem in (the multiplicative group of nonzero elements of) the underlying finite field. 06-Nov-2013 ECC and Zero Knowledge Proof 17
    • What Is Elliptic Curve Cryptography (ECC)? • Elliptic curve cryptography [ECC] is a public-key cryptosystem just like RSA, Rabin, and El Gamal. • Every user has a public and a private key. – Public key is used for encryption/signature verification. – Private key is used for decryption/signature generation. • Elliptic curves are used as an extension to other current cryptosystems. 06-Nov-2013 ECC and Zero Knowledge Proof 18
    • Using Elliptic Curves In Cryptography • The central part of any cryptosystem involving elliptic curves is the elliptic group. • All public-key cryptosystems have some underlying mathematical operation. – RSA has exponentiation (raising the message or ciphertext to the public or private values) – ECC has point multiplication (repeated addition of two points). 06-Nov-2013 ECC and Zero Knowledge Proof 19
    • General form of a EC • An elliptic curve is a plane curve defined by an equation of the form y  x  ax  b 2 3 Examples 06-Nov-2013 ECC and Zero Knowledge Proof 20
    • EC as a group An Elliptic Curve is a curve given by an equation y2 = f(x) Where f(x) is a square-free (no double roots) cubic or a quartic polynomial y2 = x3 + ax + b 4a3 + 27b2 ≠ 0 EC(-3,2) So y2 = x3 is not an elliptic curve, but y2 = x3-1 is 06-Nov-2013 ECC and Zero Knowledge Proof 21
    • Elliptical Curve as a Group - Properties • P + Q = Q + P (commutativity) • (P + Q) + R = P + (Q + R) (associativity) • P + O = O + P = P (existence of an identity element) • there exists ( − P) such that − P + P = P + ( − P) = O (existence of inverses) 06-Nov-2013 ECC and Zero Knowledge Proof 22
    • Elliptic Curve Picture y • Consider elliptic curve E: y 2 = x 3 - x + 1 P2 P1 x R 06-Nov-2013 • If P 1 and P 2 are on E , we can define R = P1 + P2 as shown in picture • Addition is all we need ECC and Zero Knowledge Proof 23
    • Case 1 : R’ ≠P1, R’≠ P2, R’≠ 0 • • • • • • • P1+P2 = -R’ = R R = (x3,y3) Let y=mx+c m= (y2-y1)/(x2-x1) y2 = (mx+c)2 = m2x2+2mxc+c2 x3+ax+b = m2x2+2mxc+c2 x3 - m2x2 + (a-2mc)x + (b- c2 ) = 0 06-Nov-2013 ECC and Zero Knowledge Proof 24
    • • (x-x1)(x-x2)(x-x3)=0 • x3-x2 (x1+x2+x3) + x (x1x2+x2x3+x3x1) – x1x2x3 = 0 • x3 = m2 –x1 –x2 • m= ((-y3)-y1)/(x3-x1) • y3= -y1 +m(x1-x3) 06-Nov-2013 ECC and Zero Knowledge Proof 25
    • Case 2 : P1= -P2 or R’ = 0 P1 P2 06-Nov-2013 ECC and Zero Knowledge Proof 26
    • Case 3: R’=P1 or R’=P2 Tangent Line to EC at P2 R P1 P2 06-Nov-2013 ECC and Zero Knowledge Proof 27
    • Case 4 : Doubling of Point P Tangent Line to EC at P R P 2*P 06-Nov-2013 ECC and Zero Knowledge Proof 28
    • P1=P2 • • • • • 2y * dy/dx =3x2 + a Slope of the tangent m = dy/dx = (3x2 + a)/2y At (x1,y1) = (3x12 + a)/2y1 x3 = m2 –2x1 y3= -y1 +m(x1-x3) 06-Nov-2013 ECC and Zero Knowledge Proof 29
    • Work Out ! • EC(-1,1). A(1,-1) B( 1/4, 7/8). A+B = ? • m = (-1-7/8)/(1-1/4) = -5/2 • x3 = (-5/2)2 -1 -1/4 =5 • y3 = -(-1)+(-5)/2*(1-5) = 11 (5,11) 06-Nov-2013 ECC and Zero Knowledge Proof 30
    • Elliptic Curve over Prime Fields • Points on the curve y2 =x3 +2x +4 0 (0,2) (0,11) (2,4) (2,9) (5,3) (5,10) (7,6) (7,7) (8,5) (8,8) (9,6) (9,7) (10,6) (10,7) (12,1) (12,11) 06-Nov-2013 ECC and Zero Knowledge Proof 31
    • Hasse’s Theorem p +1 -2√p ≤ #EC(Fp) ≤ p+1+2√p Establishes the tight bounds on the number of points on the EC 06-Nov-2013 ECC and Zero Knowledge Proof 32
    • Work Out! • EC(2,4) over F13 • A = (2,4) B = (8,5) . Compute A+B m = (5-4)/(8-2) mod 13 =11 x3 = (112 -2 -8) mod 13 = 7 y3 = (-4 +11*(2-7)) mod 13 = 6 A+B =(7,6) • Compute 2A = (8,5) 06-Nov-2013 ECC and Zero Knowledge Proof 33
    • ECs Over Binary Fields • y2+xy =x3 +ax2 +b, b!=0 • A=(x,y) : -A = (x,x+y) • For adding two points m= (y2+y1)/(x2+x1) x3 = m2+m +x1 +x2 + a y3 = m(x1+x3) +x3 +y1 • Point doubling m = x1 +(y1/x1) x3 = m2+m+a y3 = x12 +(m+1)*x3 06-Nov-2013 ECC and Zero Knowledge Proof 34
    • Discrete Logarithm Problem on Elliptic Curves • The problem of computing k given the EC parameters, G and kG, is called the discrete log problem for points on an elliptic curve. • This problem is known to be infeasible in EC groups beyond 2120 elements 06-Nov-2013 ECC and Zero Knowledge Proof 35
    • Computing kG • kG = G + G + ...+ G k times • To compute 168G , compute the series obtained by doubling the point, 2G, 4G, 8G, 16G, 32G,... • Now 168 = 10101000 in binary 168G = 128G+32G+8G O(log k) 06-Nov-2013 ECC and Zero Knowledge Proof 36
    • Diffie-Hellman Modified • Select <p,a,b,G,n,h> • Alice chooses x and send xG • Bob chooses y and send yG • Alice on receipt compute x(yG) =xyG • Bob on receipt compute y(xG) = xyG 06-Nov-2013 ECC and Zero Knowledge Proof 37
    • El Gamal Modified • • • • • • k= aG Choose r; Compute rG Compute m + rk Send <rG, m + rk> To decrypt a(rG) = rk m + rk – rk = m 06-Nov-2013 ECC and Zero Knowledge Proof 38
    • Comparison of key sizes for same level of security ECC RSA • 110 • 512 • 163 • 1024 • 256 • 3072 • 384 • 7680 • 512 • 15360 06-Nov-2013 ECC and Zero Knowledge Proof 39
    • RSA vs ECC Timings • To encrypt ECC takes nearly 10 times of that of RSA upto a key size of 384(ECC) and 7680(RSA). • For Decryption RSA takes more time for a key size higher than 1024 when compared to ECC (163) 06-Nov-2013 ECC and Zero Knowledge Proof 40
    • Applications of ECC • Many devices are small and have limited storage and computational power • Where can we apply ECC? – – – – Wireless communication devices Smart cards Web servers that need to handle many encryption sessions Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems 06-Nov-2013 ECC and Zero Knowledge Proof 41
    • A Conference on ECC • ECC 2013: https://www.cosic.esat.kuleuven.be/ecc2013 06-Nov-2013 ECC and Zero Knowledge Proof 42
    • Zero Knowledge Proof
    • Zero Knowledge Proofs (ZKP) • Goldwasser, Micali, and Rackoff, 1985. • ZKP instance of Interactive Proof System • Interactive Proof Systems – Challenge-Response Authentication – Prover and Verifier – Verifier Accepts or Rejects the Prover 06-Nov-2013 ECC and Zero Knowledge Proof 44
    • ZKP • Zero knowledge Transfer between the Prover and the Verifier • The verifier accepts or rejects the proof after multiple challenges and responses • Probabilistic Proof Protocol • Overcomes Problems with Password Based Authentication 06-Nov-2013 ECC and Zero Knowledge Proof 45
    • Zero Knowledge Proofs • • • • • • Introduction Properties of ZKP Advantages of ZKP Examples Fiat-Shamir Identification Protocol Real-Time Applications 06-Nov-2013 ECC and Zero Knowledge Proof 46
    • Zero Knowledge Proofs (ZKP) • Goldwasser, Micali, and Rackoff, 1985. • ZKP instance of Interactive Proof System • Interactive Proof Systems – Challenge-Response Authentication – Prover and Verifier – Verifier Accepts or Rejects the Prover 06-Nov-2013 ECC and Zero Knowledge Proof 47
    • Properties of ZKP • Completeness – Succeeds with high probability for a true assertion given an honest verifier and an honest prover. • Soundness – Fails for any other false assertion, given a dishonest prover and an honest verifier • Zero Knowledge 06-Nov-2013 ECC and Zero Knowledge Proof 48
    • Advantages of ZKP • • • • As name Suggests – Zero Knowledge Transfer Computational Efficiency – No Encryption No Degradation of the protocol Based on problems like discrete logarithms and integer factorization 06-Nov-2013 ECC and Zero Knowledge Proof 49
    • Classic Example • Ali Baba’s Cave Alice has to convince Bob She knows the secret to open the cave door without telling the secret (source: http://www.rsasecurity.com/rsalabs/faq/2-1-8.html) 06-Nov-2013 ECC and Zero Knowledge Proof 50
    • Fiat-Shamir Identification Protocol • 3 Message Protocol • Alice A, the Prover and Bob B, the Verifier A random modulus n, product of two large prime numbers p and q generated by a trusted party and made public • Prover chooses secret s relatively prime to n • prover computes v = s2 mod n, where v is the public key A  B A  B A  B 06-Nov-2013 : x = r2 mod n : e  { 0,1} : y = r * se mod n. Is y2 = x * ve ? ECC and Zero Knowledge Proof 51
    • Fiat-Shamir Identification Protocol (contd) • Alice chooses a random number r (1  r  n-1) • Sends to Bob x = r2 mod n – commitment • Bob randomly sends either a 0 or a 1 ( e  { 0,1}) as his challenge • Depending on the challenge from Bob, Alice computes the response as y = r if e = 0 or otherwise y = r*s mod n • Bob accepts the response upon checking y2  x * ve mod n 06-Nov-2013 ECC and Zero Knowledge Proof 52
    • Fiat-Shamir Identification Protocol (contd) • After many iterations, with a very high probability Bob can verify Alice’s identity • Alice’s response does not reveal the secret s (with y = r or y = r* s mod n) • An intruder can prove Alice’s identity without knowing the secret, if he knows Bob’s challenge in advance: – Generate random r – If expected challenge is 1, send x = r2/v mod n as commitment, and y = r as response – If expected challenge is 0, send x = r mod n as commitment • Probability that any Intruder impersonating the prover can send the right response is only ½ • Probability reduced as iterations are increased • Important - Alice should not repeat r 06-Nov-2013 ECC and Zero Knowledge Proof 53
    • Applications • Watermark Verification – Show the presence of watermark without revealing information about it – prevents from removing the watermark and reselling multiple duplicate copies • Others – e-voting, e-cash etc. 06-Nov-2013 ECC and Zero Knowledge Proof 54
    • References • Network Security and Cryptography, Bernard Menezes • I. Blake, G. Seroussi, and N. Smart, Elliptic Curves in Cryptography, London Mathematical Society 265, Cambridge University Press, 1999 • Overview of Zero-Knowledge Protocols, Jeffrey Knapp • http://en.wikipedia.org/wiki/Elliptic_curve_cryptography as on November 4, 2013 • Koblitz, N. (1987). "Elliptic curve cryptosystems". Mathematics of Computation 48 (177): 203–209. JSTOR 2007884 • Menezes, A.; Okamoto, T.; Vanstone, S. A. (1993). "Reducing elliptic curve logarithms to logarithms in a finite field". IEEE Transactions on Information Theory 39 • K. Malhotra, S. Gardner, and R. Patz, Implementation of Elliptic-Curve Cryptography on Mobile Healthcare Devices, Networking, Sensing and Control, 2007 IEEE International Conference on, London, 15–17 April 2007 Page(s):239–244 06-Nov-2013 ECC and Zero Knowledge Proof 55
    • References • D. Hankerson, A. Menezes, and S.A. Vanstone, Guide to Elliptic Curve Cryptography, Springer-Verlag, 2004 • http://en.wikipedia.org/wiki/Zero-knowledge_proof as on November 4, 2013 • Stinson, Douglas Robert (2006), Cryptography: Theory and Practice (3rd ed.), London: CRC Press, ISBN 978-1-58488-508-5 • Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004). "PRIMES is in P". Annals of Mathematics 160 (2): 781–793. • Theory of Computing Course, Cornell University 2009, Zero knowledge proofs • A Survey of Zero-Knowledge Proofs with Applications to Cryptography, Austin Mohr Southern Illinois University at Carbondale 06-Nov-2013 ECC and Zero Knowledge Proof 56
    • THANK YOU!! ~Nimish Joseph
    • Q&A