### SlideShare for iOS

by Linkedin Corporation

FREE - On the App Store

- Total Views
- 239
- Views on SlideShare
- 239
- Embed Views

- Likes
- 0
- Downloads
- 4
- Comments
- 0

No embeds

Uploaded via SlideShare as Microsoft PowerPoint

© All Rights Reserved

- 1. Elliptic Curve Weak ClassIdentification for the Security of Cryptosystem Intan Muchtadi, Ahmad Muchlis and Fajar Yuliawan Algebra Research Group, Institut Teknologi Bandung (ITB), Indonesia
- 2. Elliptic Curve In 1985 both Koblitz and Miller independently suggested the use of Elliptic Curves in the development of a new type of public key cipher. An Elliptic Curve is a simple equation of the form: y2 = x3 +ax+b a,b in F of characteristic p ≠ 2,3 and 4a3 + 27b2 ≠ 0
- 3. Elliptic curvey2 = x3 − x
- 4. y2 = x3 − ½x + ½
- 5. y2 = x3 − 4/3x + 16/27
- 6. Elliptic curve over F23y2 = x3 + x + 1 24 23 22 21 20 19 18 17 16 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
- 7. Elliptic Curve Addition Q P P+Q
- 8. Multiples in Elliptic Curves 1 The interest in Elliptic Curve Addition is the process of adding a point to itself. That is given a point P find the point P+P or 2P. This is done by drawing a line tangent to P and reflecting the point at which it intercepts the curve P can be added to itself k times resulting in a point W = kP.
- 9. Multiples in Elliptic Curves 1 P+P = 2P P
- 10. Multiples in Elliptic Curves 2 Finding the value of 3P: P+P = 2P 3P P
- 11. Discrete Logarithm Problem1. A and B agree on a finite group G and some fixed element g.2. A selects an integer x at random and transmits b = gx to B.3. B selects an integer y at random and transmits c = gy to A.4. A determines k = cx , B determines k = by , k is then used as the secret key.
- 12. Elliptic Curve Cryptography Based on the discrete logarithm problem applied to Abelian group E(Fp) formed by the points of an elliptic curve over a finite field E(Fp)={(x,y)∈(Fp)²:y²=x³+ax+b}∪{O}
- 13. Elliptic Curve Cryptosystem There are several ways in which the ECDLP can be imbedded in a cipher system. One method begins by selecting an Elliptic Curve and a point P on the curve and a secret number d which will be the private key. The public key is P and Q where Q = dP A message is encrypted by converting the plaintext into a number m, selecting a random number k, and finding a point M on the curve where the difference of the x and the y co- ordinates equals m. the ciphertext consists of two points on the curve: (C1,C2) = (kP, M + kQ)
- 14. Decipher The secret key, d is used to decipher the ciphertext Multiply the first point by d and subtract the result from the second point:M = C2-dC1= M+kQ –dkP= M + kdP - dkP
- 15. Elliptic Curve Security The security of the Elliptic Curve algorithm is based on the fact that it is very difficult (as difficult as factoring) to solve the Elliptic Curve Discrete Logarithm Problem:Given two points P and Q where Q = kP, find the value of k
- 16. Imaginary Quadratic Orders
- 17. Maximal Orders and Non-maximal Orders If Δ is squarefree, then OΔ is the maximal order of the quadratic number field Q(√Δ) and Δ is called a fundamental discriminant. The non-maximal order of conductor p>1 with (non- fundamental) discriminant Δp=Δp² is denoted by OΔp. Assume that the conductor p is prime. Let IΔ = The group of invertible OΔ-ideals and PΔ = The set of principal OΔ-ideals. The class group of OΔ = Cl(Δ) = IΔ/PΔ is a finite abelian group with neutral element OΔ The class number of OΔ = h(Δ) = | Cl(Δ)|.
- 18. Imaginary Quadratic Orders In 1988 Buchmann and William use the class groups of imaginary quadratic orders Cl∆ for the construction of cryptosystem.
- 19. Reducing the DLP Huhnlein et al showed that for totally non-maximal imaginary quadratic orders (i.e., h∆ =1), the DLP can be reduced to the DLP in some finite field.
- 20. Problem Can we find a condition for elliptic curves such that the DLP for those curves can be reduced to the DLP of some finite fields?
- 21. The 1st Relation If E is an elliptic curve over Fq, then endomorphism ring of E is an imaginary quadratic order O∆ if and only if |E(Fq)| ≠ q+1. Moreover, there exists a π ∈ O∆ such that |E(Fq)| = q + 1 – (π + π ), where π is the conjugate of π, and π is the Frobenius endomorphism π(x,y) = (xq,yq) for all (x,y) ∈ E(Fq).
- 22. Consequence If q satisfies 4q=m²-Δn², for some m,n∈Z, then π =±(m+n√Δ)/2, As π²-tπ +q=0, we get t = π + π =±m. Therefore |E(Fq)| = q +1 ± m If m=1, then |E(Fq)| = q or q+2. The case |E(Fq)|=q is cryptographycally weak We consider the case where |E(Fq)| =q+2.
- 23. The Result: Reducing the ECDLPMain TheoremLet q be a prime satisfies 4q=1-Δn², for some n∈Z, such that p=q+2 is also a prime, and let E be an elliptic curve over Fq with |E(Fq)|=p.Then the DLP in E(Fq) can be reduced to the DLP in Fp² as additive group.
- 24. The method in [Huhnlein et al]
- 25. The 2 nd Relation
- 26. Auxiliary Result
- 27. The proof E(Fq) ≈ O∆ /(π-1) O∆ ↑ O∆ /pO∆ ≈ Fp2 given G and P∈E(Fq) with P=[m]G, compute the corresponding elements α+(π-1) O∆ and γ+(π-1) O∆ ∈ O∆ /(π-1) O∆ compute the corresponding α +pO∆ and γ +pO∆ ∈ O∆ /pO∆ compute the corresponding elements in Fp² Then compute the discrete logarithm there or determine that it does not exist.
- 28. Conclusion For q a prime satisfies 4q=1-Δn², for some n∈Z, such that p=q+2 is also a prime, the ECDLP in E(Fq) whose order is p can be reduced to the DLP in finite field of order p² as additive group.
- 29. Question of Existence How to construct such cryptographically weak curves. Answer By using the construction of anomalous elliptic curves (i.e. where | E(Fq)|=q).
- 30. Recall If q satisfies 4q=m²-Δn², for some m,n∈Z, then π =±(m+n√Δ)/2, As π²-tπ +q=0, we get t = π + π =±m. Therefore |E(Fq)| = q +1 ± m If m=1, then |E(Fq)| = q or q+2.
- 31. Construction of Anomalous Curves (based on [Leprevost et al]) Step 1 : Choose ∆ < 0 a fundamental discriminant of an imaginary quadratic field K = Q(√∆) such that order of K has class number 1. ∆ ∈ {-3, -4, -7, -8, -11, -19, -43, -67, -163} [Cox, Theorem 7.30]
- 32. Step 1(contd) Choose an odd prime q such that 4q = 1- ∆n2 for an integer n. We can show that1. -∆ ≡ 3 mod 8 (∆ ∈ {-3, -11, -19, -43, -67, -163} )2. q = - ∆u(u+1)+ (- ∆+1)/4 for some integer u
- 33. Step 2 OK = O∆=Z[(∆ + √∆)/2 Let j(OK) be the j-invariant of OK. For class number = 1 the j-invariant is given as following ∆ j(O )k -3 0 -11 -323 -19 -963 -43 -9603 -67 -52803 -163 -6403203 [Cox, p.261]
- 34. Step 3 Choose an elliptic curve over L=K(j(OK)) with j-invariant j0 = j(OK) : Since j(E) = 1728(4a3/(4a3+27b2)), then we can choose E: y2 = x3 + ax + b where a=3j0/(1728-j0) and b=2j0/(1728-j0)
- 35. Step 4 Reduce E to E : y2 = x3 + [a]x + [b] over Fq We can show that |E(Fq)|∈{q,q+2} If |E(Fq)|=q+2, a prime, then we’re done.
- 36. Step 5 If |E(Fq)|=q, define E’:y2=x3+d2[a]x+d3[b], where d ∈ Fq a non-quadratic element. |E’(Fq)| = q+2 If q+2 is prime, then we’re done.
- 37. Problem It’s not easy to find a prime q such that 4q = 1- ∆n2 for an integer n q+2 is also a prime
- 38. Example For ∆ = -11 dan u = 257 743 850 762 632 419 871 495, q = 11u(u + 1) +(11+1)/4 = 730 750 818 665 451 459 112 596 905 638 433 048 232 067 471 723 j(OK)=-323
- 39. Example (contd) E: y2 = x3 + ax + b a= 3(-323)/(1728-(-323))=425 706 413 842 211 054 102 700 238 164 133 538 302 169 176 474 b= 2(-323)/(1728-(-323))= 527 387 882 116 624 522 439 332 460 655 566 708 278 801 941 557
- 40. Example(contd) #E(Fq) = q+2 BUT q + 2 = 730 750 818 665 451 459 112 596 905 638 433 048 232 067 471 725 = 33 x 52 x 4217 x 20 016 645 573 637 x 2413 234 030 223 5314 x607 504 832 341is not a prime
- 41. Twin Prime Conjecture There are infinitely many primes q such that q + 2 is also prime.
- 42. Next? Find examples of “weak curves”, i.e twin primes that satisfy the condition in the Main Theorem. Does the result in this work have any relevance to the ECDLP for elliptic curves whose endomorphism ring is a totally non-maximal order?
- 43. References[1] H.Baier (2002), Efficient algorithms for generating elliptic curves over finite fields suitable for use in cryptography, PhD Dissertation.[2] I. F. Blake, G. Seroussi, and N. P. Smart (2000), Elliptic curves in cryptography, volume 265 of London Mathematical Society Lecture Note Series,Cambridge University Press, Cambridge.[3] I. F. Blake, G. Seroussi, and N. P. Smart (2005), Advances in elliptic curve cryptography, volume 317 of London Mathematical Society Lecture Note Series, Cambridge University Press, Cambridge.[4]J.Buchmann dan H.C.Williams (1988), A key exchange system based on imaginary quadratic field, Journal of Cryptology, 1, 107-118.
- 44. References (contd)[5] J. Buchmann (2004), Introduction to cryptography, Springer.[6] H. Cohen and G. Frey (2006), Handbook of elliptic and hyper elliptic curve cryptography, Hall and Chapman, Taylor and Francis Group.[7] D. A. Cox (1989), Primes of the forms x2 + ny2, John Wiley and Sons, New York.[8] W. Diffie and M. Hellman (1976), New directions in cryptography, IEEE Transactions on Information Theory, 22, 472-492.[9] A. Enge (2001), Elliptic curves and their applications to cryptography : an introduction, Kluwer Academic Publishers.[10] D.Hankerson, A.J. Menezes, S. Vanstone (2004), Guide to elliptic curve cryptography, Springer-Verlag, New York.
- 45. References (contd)[11] D.Huhnlein, M.J. Jacobson, S. Paulus and T.Takagi (1998), A cryptosystem based on non-maximal imaginary quadratic order with fast decryption, in Advances in Cryptology, LNCS 1403, Springer, 294-307.[12] D.Huhnlein, M.J. Jacobson, D. Weber (2003), Towards Practical Non-Interactive Public-Key Cryptosystems Using Non- Maximal Imaginary Quadratics Orders, Designs, Codes and Cryptography, 30, Issue 3, 281-299.[13] D.Huhnlein, T.Takagi (1999), Reducing logarithms in totally non-maximal imaginary quadratic orders to logarithms in nite elds, ASIACRYPT, 219-231.[14] N.Koblitz (1987), Elliptic curve cryptosystem, Mathematics of Computation 48, 203-209.
- 46. References (contd)[15] H.W.Lenstra (1996), Complex multiplication structure of elliptic curves, Journal of Number Theory, 56, No. 2, 227-241.[16] F. Leprevost, J.Monnerat, S. Varrette, S.Vaudenay (2005), Generating anomalous elliptic curves, Information Processing Letters, 93, 225-230.[17] K. S. McCurley (1988), A Key Distribution System Equivalent to Factoring, Journal of Cryptology 1, 95-105.[18] V.S. Miller (1986), Use of elliptic curve in cryptography, in Advances in Cryptology - CRYPTO 85, Springer-Verlag, LNCS 218, 417-426.[19] J.H. Silverman (1986), The arithmetic of elliptic curves, Springer-Verlag, NewYork.[20] L.C. Washington (2008) Elliptic curves, number theory and cryptography,Chapman and Hall/CRC, Taylor and Francis Group.
- 47. Thank you

Full NameComment goes here.