2. Plan for This Week
Signing with Elliptic Curves (Sketch)
Elliptic Curve Parameters
Dual-EC Duel
Preventing Double Spending
Distributed Consensus
The Blockchain
1
Office Hours today!
Me: after class
Nick: 5-7pm in Rice 442
Project 1 Due Friday, 11:59pm
Wednesday
3. Signing with Elliptic Curves
2
Elliptic curve discrete
logarithm problem: given
points P and Q, it is hard to
find k such that Q = kP.
How can we use this hardness
assumption to make
asymmetric cryptosystem?
4. Signing with Elliptic Curves
3
Elliptic curve discrete
logarithm problem: given
points P and Q, it is hard to
find k such that Q = kP.
How can we use this hardness
assumption to make
asymmetric cryptosystem?
Parameters: curve, G (a point on curve),
(large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG
5. Signing with Elliptic Curves
4
Parameters: curve, G (a point on curve),
(large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG
6. Signing with Elliptic Curves
5
Parameters: curve, G (a point on curve),
(large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG
Sign (sketch):
pick random integer k in [1, n-1]
compute curve point: (x, y) = kG
signature = (x mod n, k-1(z + rd) mod n)
7. Verifying a Signature
6
1. Verify Q is valid.
Q is on the curve,
nQ = 0
Q must not be 0
Parameters: curve, G (a point on curve), (large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG
Sign (sketch):
pick random integer k in [1, n-1]
compute curve point: (x, y) = kG
signature = (x mod n, k-1(z + rd) mod n)
8. Verifying a Signature
7
2. Verify signature is valid. Compute curve point using
Q, z, and signature, and check it.
Parameters: curve, G (a point on curve), (large) n such that nG = 0.
Key pair:
Private key: d = pick a random integer in [1, n-1]
Public key: point Q = dG
Sign (sketch):
pick random integer k in [1, n-1]
compute curve point: (x, y) = kG
signature = (x mod n, k-1(z + rd) mod n)
10. 9
RSA ECC
Discovery
1977
(previously discovered in 1969 by
GHCQ and perhaps earlier by NSA)
1985
(adoption limited until ~2005)
“Hard” Problem Factoring Discrete Log on Elliptic Curve
Key Size (~112-bit) 2048 bits (768 bits broken) 224 bits (112 bits broken)
Backdoor Risk None Curves selected by NSA/Certicom/?
Quantum Computing Risk
Known fast factoring algorithms
(Shor’s)
Similar (variation of Shor’s algorithm
solves Discrete Log)
Implementation Challenges
Avoiding weak keys, timing side
channels
Fast operations on elliptic curves,
leaks on invalid inputs
11. Why are RSA keys so much bigger?
10
RSA ECC
“Hard” Problem Factoring Discrete Log on Elliptic Curve
12. 11
RSA ECC
“Hard” Problem Factoring Discrete Log on Elliptic Curve
Naïve factoring: try division by all numbers up to √N
Best known factoring:
General Number Field Sieve [“Sneakers” 1992]
Largest challenge solved: RSA-768 (2009)
(RSA stopped funding challenges in 2007.)
NIST deprecated 1024-bit RSA in 2012
13. 12
RSA ECC
Factoring Discrete Log on Elliptic Curve
Naïve algorithm: √N divisions
Best known factoring: ~ (e(ln n)1/3
)
Known vulnerable: 1024-bit
14. 13
RSA ECC
Factoring Discrete Log on Elliptic Curve
Naïve algorithm: √N divisions
Best known factoring: ~ (e(ln n)1/3
)
Known vulnerable: 1024-bit
Naïve algorithm: p curve additions
Best known: ~ (√p) (Pollard’s Rho)
Known vulnerable: 113-bit
(24 days x 18 FPGA cores, 2014)
22. 21Source of images: http://boallen.com/random-numbers.html
PHP rand()
(on Windows)
random.org
(atmospheric noise)
Which should you use to generate your wallet’s private key?
23. Defining
Randomness
22
Андре́й Колмого́ров
Andrey Kolmogorov
(1903-1987)
For a sequence s, its Kolmogorov
Complexity: K(s) = the length of the
shortest description of s
A sequence s is random,
if K(s) = |s| + C
(This is a somewhat informal version. A real definition would
need to be more careful about stating this asymptotically.)
“He was to probability
theory what Euclid was to
geometry.” (Peter Lax)
31. Amplifying Physical Randomness
Pseudo-Random Number Generator
30
AES
k = f(physical randomness)
0
k
AES1
k
AES2
k
output output output
3
Every once in a while, compute a new k using new physical randomness.
34. 33
What is the smallest natural
number that cannot be
described in eleven words?
The smallest natural number that
cannot be described in eleven words.
1 2 3 4 5
6 7 8 9 10 11
40. Dual-EC PRNG
39
sisi +1= φ(si ×P)
s0 physical randomness
Update Internal State
P and Q are
points on an
elliptic curve
Generate Output Bits
16 least
significant bits of
ri’s x-coordinate
ri = φ(si ×Q)
41. CurveUsedby
Dual-ECPRNG
40
NIST P-256
y2 = x3 + ax + b (mod p)
p = 2256 − 2224 + 2192 + 296 − 1
a = p − 3
b =41058363725152142129326129780047268409114441015993725554835256314039467401291
Elliptic curve operations are expensive! Dual-EC PRNG is 1000x
slower than strong PRNG’s built using symmetric ciphers.
42. Why use Elliptic Curves for PRNG?
• Easier to plant a back-door in it than designs
based on symmetric ciphers
• Can be used to provide provable security
properties based on number theory:
hardness of discrete log on elliptic curves
– But not done for Dual EC PRNG
41
43. Dual-EC PRNG
42
sisi +1= φ(si ×P)
s0 randomness
Update Internal State
P and Q are (random?)
points on P-256.
Generate Output Bits
ri = φ(si ×Q)
16 least
significant bits of
ri’s x-coordinate
48. Possible Back Door
P and Q are points on the curve
P is a generator of the curve
All points on curve are kP for some k
Curve is prime order: P = eQ for some e
47
Challenge: given oi, can you find si?
49. 48
sisi +1= φ(si ×P)
s0
16 least significant
bits of ri’s x-coord
ri = φ(si ×Q)
oi
Challenge: given oi, can you find si?
50. 49
sisi +1= φ(si ×P)
s0
16 least significant
bits of ri’s x-coord
ri = φ(si ×Q)
oi
Challenge: given oi, can you find si?
ri = (xi, yi) = (16 unknown bits | oi, yi)
Points on the curve: y2 = x3 – 3x + b (mod p)
51. 50
sisi +1= φ(si ×P)
s0
16 least significant
bits of ri’s x-coord
ri = φ(si ×Q)
oi
Challenge: given oi, can you find si?
ri = (xi, yi) = (16 unknown bits | oi, yi)
Points on the curve: y2 = x3 – 3x + b (mod p)
foreach u in [0, 216]:
g = u | oi
z = g3 – 3g + b (mod p)
if z1/2 mod p exists, on the curve
How expensive is this?
How many are on the curve?
52. 51
foreach u in [0, 216]:
g = u | oi
z = g3 – 3g + b (mod p)
if z1/2 mod p exists, on the curve
si +1= φ(si ×P) ri = φ(si ×Q)
P = eQ
53. 52
foreach u in [0, 216]:
g = u | oi
z = g3 – 3g + b (mod p)
if z1/2 mod p exists, on the curve
si +1= φ(si ×P) ri = φ(si ×Q)
P = eQ
A = (x, y) = ri ×Q guessed point on curve
φ(e × A) = φ(e × si ×Q) = φ(si ×P) = si +1
One output is enough to learn internal state (if you know e)!
60. 59
With hindsight, NSA should have ceased
supporting the dual EC_DRBG algorithm
immediately after security researchers
discovered the potential
for a trapdoor. In truth, I can think of no better
way to describe our failure to drop support for
the Dual_EC_DRBG algorithm as anything other
than regrettable. …
Furthermore, we realize that our advocacy for
the DUAL_EC_DRBG casts suspicion on the
broader body of work NSA has done to promote
secure standards. Indeed, some colleagues have
extrapolated this single action to allege that NSA
has a broader agenda to “undermine Internet
encryption.”
64. Charge
Project 1 is due Friday
If you haven’t already read Satoshi’s original
bitcoin paper and Chapter 5, please do before
Wednesday’s class
63
Office Hours today!
Me: now
Nick: 5-7pm in Rice 442
Project 1 Due Friday, 11:59pm