ECC vs RSA: Battle of the Crypto-Ninjas

11,877 views

Published on

Talk given at Devoxx UK 2014

Caveat - without the video these slides can be taken out of context, see Parleys for the full video.

RSA is the oldest kid in the public-key cryptography playground, and its position of toughest and fastest is under sharp competition from ECC (Elliptic Curve Cryptography). We look at the mathematical difference between the two cryptosystems, showing why ECC is faster and “harder” than RSA, but also very energy efficient hence its unique advantage in the mobile space. We show how to use ECC in your Java and Android applications. Before finally summarising the “state of the union” for RSA and ECC in the light of the Snowden leaks, and the likely near-future for public-key cryptography.

Published in: Technology
0 Comments
31 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
11,877
On SlideShare
0
From Embeds
0
Number of Embeds
71
Actions
Shares
0
Downloads
0
Comments
0
Likes
31
Embeds 0
No embeds

No notes for slide

ECC vs RSA: Battle of the Crypto-Ninjas

  1. 1. James McGivern ECC vs RSA: Battle of the Crypto-Ninjas Friday, 11 July 2014
  2. 2. About James Friday, 11 July 2014
  3. 3. About James Mathematician turned Computer Scientist Technical Evangelist Lives in London Talks fast Likes cats Hates Marmite Friday, 11 July 2014
  4. 4. Friday, 11 July 2014
  5. 5. Objectives the basics: terminology, concepts, etc symmetric vs. asymmetric cryptography RSA overview theory of elliptic curves elliptic curve cryptography (ECC) RSA vs. ECC (performance, security, etc) using ECC ECC “in the wild” Friday, 11 July 2014
  6. 6. Please Note Aim: to provide enough basic information to “springboard” your own forays into cryptography No: History lessons (but maybe a tangent or two) Proofs - rigourous or otherwise Key exchange protocols I work for Cisco but all the views in this presentation are mine and do not reflect the views of Cisco. Friday, 11 July 2014
  7. 7. Cryptography: Refresh Friday, 11 July 2014
  8. 8. All Hail Claude Shannon Godfather of: - Communication theory - Information Theory - Digital Computing & Digital Circuit Design - Modern cryptography Proved that the cryptographic one-time pad is unbreakable "the enemy knows the system" Friday, 11 July 2014
  9. 9. Terminology A plaintext document is encrypted with a cipher to produce ciphertext Decryption is the reverse of encryption A cipher may utilise 1 or more keys Friday, 11 July 2014
  10. 10. Cryptanalysis Crypto-ninjas need to be constantly vigilant for attack Friday, 11 July 2014
  11. 11. Cryptanalysis can be classified by: Friday, 11 July 2014
  12. 12. Cryptanalysis can be classified by: Computational resource requirements Friday, 11 July 2014
  13. 13. Cryptanalysis can be classified by: Computational resource requirements Degree of information exposure Friday, 11 July 2014
  14. 14. Cryptanalysis can be classified by: Computational resource requirements Degree of information exposure Degree of cryptosystem penetration Friday, 11 July 2014
  15. 15. Cryptanalysis can be classified by: Computational resource requirements Degree of information exposure Degree of cryptosystem penetration Do not underestimate: stupidity, spies, traitors and other forms of social engineering Friday, 11 July 2014
  16. 16. Diffusion is a measure of the difference between the statistical structure of the plaintext and the ciphertext Friday, 11 July 2014
  17. 17. Diffusion is a measure of the difference between the statistical structure of the plaintext and the ciphertext Confusion is a measure of the complexity of the relationship between the ciphertext and the key(s) Friday, 11 July 2014
  18. 18. Diffusion is a measure of the difference between the statistical structure of the plaintext and the ciphertext Confusion is a measure of the complexity of the relationship between the ciphertext and the key(s) Friday, 11 July 2014
  19. 19. Kerckhoff’s Principle “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge” Friday, 11 July 2014
  20. 20. Warning! ! Even crypto-ninjas can’t herd cats Friday, 11 July 2014
  21. 21. Cipher Classical Substitution Transposition Rotor Machines Modern Symmetric (public key) Asymmetric (private key) Stream Block A Cipher Class Diagram Friday, 11 July 2014
  22. 22. http://xkcd.com/927 Friday, 11 July 2014
  23. 23. Cryptographic Standards Created by “trusted” authorities, e.g. NIST (US), ENISA (EU), CESG/HMG (UK) Defines specific implementations of algorithms & protocols, including: key sizes random number & seed generators algorithm parameters Allows in-depth cryptanalysis Ensures support in hardware and software applications Friday, 11 July 2014
  24. 24. Symmetric vs. Asymmetric Encryption Friday, 11 July 2014
  25. 25. Alice Bob Symmetric Friday, 11 July 2014
  26. 26. Alice Bob Symmetric Friday, 11 July 2014
  27. 27. Alice Bob Symmetric Friday, 11 July 2014
  28. 28. Alice Bob Symmetric Friday, 11 July 2014
  29. 29. Alice Bob Symmetric Friday, 11 July 2014
  30. 30. Alice Bob Symmetric Friday, 11 July 2014
  31. 31. Alice Bob Asymmetric Friday, 11 July 2014
  32. 32. Alice Bob Asymmetric Friday, 11 July 2014
  33. 33. Alice Bob Asymmetric Friday, 11 July 2014
  34. 34. Alice Bob Asymmetric Friday, 11 July 2014
  35. 35. Alice Bob Asymmetric Friday, 11 July 2014
  36. 36. Alice Bob Asymmetric Friday, 11 July 2014
  37. 37. Alice Bob Asymmetric Friday, 11 July 2014
  38. 38. Alice Bob Asymmetric Friday, 11 July 2014
  39. 39. Alice Bob Asymmetric Friday, 11 July 2014
  40. 40. Trapdoor Functions Friday, 11 July 2014
  41. 41. The Mountains of Complexity Friday, 11 July 2014
  42. 42. Turing Machines S - set of symbols Q - set of states q0 - the initial state, q0 Q F - the set of final states, F ⊆ Q δ - the transition function Friday, 11 July 2014
  43. 43. Decisions, Decisions, Decisions Given some formal system, a decision problem is a statement that is either true or false. E.g. Given any 2 integers x and y, is (x/y) mod 2 = 0? Is the real part of any non-trivial zero of the Riemann zeta function 1/2? Does a given algorithm return a value within a finite amount of time? Friday, 11 July 2014
  44. 44. P & NP Decision problems in P can be solved in polynomial time on a deterministic Turing machine. sorting lists, shortest path problem A decision problem is in NP if a solution can be verified in polynomial time on a non-deterministic Turing machine. multi-body collision detection Friday, 11 July 2014
  45. 45. NP-Hard & NP-Complete Not all problems in NP are equal! NP-complete problems are “the hardest problems in NP” A decision problem D is NP-complete if: 1. D is in NP 2. Every problem in NP is reducible to D in polynomial time If only (2) is true then D is NP-hard Friday, 11 July 2014
  46. 46. P versus NP Friday, 11 July 2014
  47. 47. RSA Dojo Friday, 11 July 2014
  48. 48. Is a fundamental part of HTTPS/SSL Based on the Integer Factorisation Problem Believed to be in NP and co-NP but not NP-complete A factor is a number that divides evenly into another number, e.g. 20 has factors { 1, 2, 5, 10 } Friday, 11 July 2014
  49. 49. Primes, Co-Primes A prime number is a natural number greater than 1 with no positive divisors except itself and 1 Two numbers p, q are co-prime iff the greatest common divisor is 1, i.e gcd(p,q) = 1 Examples: gcd(15, 10) = 5 gcd(16, 10) = 2 gcd(17, 10) = 1 Friday, 11 July 2014
  50. 50. Integer Factorisation Problem The fundamental theorem of arithmetic, proves every positive integer has a unique prime decomposition: n = Σ pq Where n, p, q are integers and p are prime numbers Examples: 15 = 5 * 3 20 = 5 * 22 Friday, 11 July 2014
  51. 51. Totatives & Euler’s Totients A number t is a totative of n iff 0 < t < n and gcd(t,n) = 1 Euler’s totient function of a number n is given by φ(n) = |T(n)|, where T(n) is the set of all totatives of n Example: if n = 9, then T(n) = {1, 2, 4, 5, 7, 8} φ(9) = |T(9)| = 6 Friday, 11 July 2014
  52. 52. RSA Key Generation Choose two prime number p and q Compute n = pq Compute φ(n) = φ(p) φ(q) = (p - 1)/(q - 1) Chose an integer e s.t. 1 < e < φ(n) & gcd(e, φ(n)) = 1 Compute d = 1 / e(mod F(n)) Public Key = (e, n) Private Key = (e, d) Friday, 11 July 2014
  53. 53. Encryption Given a message M convert to an integer m s.t. 0 < m < n using a padding protocol, the ciphertext c is generated by: c = me (mod n) Decryption Given a ciphertext c compute m = cd (mod n) and recover M by reversing the padding protocol on m Friday, 11 July 2014
  54. 54. Caution! ! Picking the prime numbers is hard If p or q are too small or too close to each other it greatly decreases the security If p-1 or q-1 only has small prime factors n can be factored in polynomial time Friday, 11 July 2014
  55. 55. Theory-based Attacks Trial division Euler’s algorithm Fermat’s algorithm Wheel factorisation Quadratic sieve General number field sieve Pollard’s ρ algorithm Shor’s algorithm Friday, 11 July 2014
  56. 56. Practical Attacks Man-in-the-Middle: BEAST - faulty cipher attack CRIME & BREACH - secure cookie compression attack Side-Channel: Lucky13 - padding attack Bug: Heartbleed - buffer overflow Friday, 11 July 2014
  57. 57. A Detour through the Garden of Mathematics Friday, 11 July 2014
  58. 58. Abstract Algebra An algebraic structure is composed of one or more sets with one or more n-ary functions defined on them. Underpins a great deal of modern sciences: codes, symmetries, dynamical systems A beautiful example of mathematics at work Friday, 11 July 2014
  59. 59. NOTA BENE! ! Mathematics is a precise language, the notation less so Different branches of maths use the same symbol to mean different things There are some “rules” which if you don’t know can be confusing In abstract algebra we use + and • which are not always numeric addition and multiplication Mathematicians are lazy: a • b = ab Friday, 11 July 2014
  60. 60. A group G is a pair G(S, •) where S is a set and • a binary operator that satisfies: Closed: ∀ a, b S then a • b S Associative: ∀ a, b, c S then (a • b) • c = a • (b • c) Identity element: e S s.t ∀ a S e • a = a • e = a Inverse element: ∀ a S, b S s.t a • b = b • a = e Groups E E Friday, 11 July 2014
  61. 61. A group G(S, •) is an abelian group (or commutative group) if it also satisfies the commutativity condition: ∀ a, b S then a • b = b • a Abelian Groups Friday, 11 July 2014
  62. 62. A ring R is a tuple R(S,+,•) if it satisfies the 8 ring axioms: 1-4 (S,+) is an abelian group 5-6 (S,•) is a monoid 7-8 distributivity If the • operator is commutative then R is a commutative ring Rings Friday, 11 July 2014
  63. 63. A field F is a tuple F(S,+,•) where F(S,+) and F(S,•) are abelian groups, and the distributivity property is satisfied, i.e. ∀ a, b, c S then: a • (b + c) = (a • b) + (a • c) (a + b) • c = (a • c) + (b • c) Every field is a ring but not every ring a field Fields Friday, 11 July 2014
  64. 64. Mathematics of Elliptic Curves Friday, 11 July 2014
  65. 65. Foreword Elliptic curves have (almost) nothing to do with ellipses, so put ellipses and conic sections out of your thoughts Friday, 11 July 2014
  66. 66. An elliptic curve E defined over a field k is a curve given by the equation y2 = x3 + Ax + B where the discriminant ∆ = 4A3 + 27B2 must be non-zero and A, B, x, y in k. We define E(k), together with the point at infinity Θ, as the set of all points on E over k. Friday, 11 July 2014
  67. 67. An elliptic curve is given by the Weierstrass equation: y2 + Axy + By = x3 + Cx2 + Dx + E where A, B, C, D, E, x, y in k But we generally consider the cases where A, B, C are zero => ∆ = 0 Lies Lies Lies Friday, 11 July 2014
  68. 68. Elliptic Curves Over Prime Fields An elliptic curve E defined over Zp is given by the equation y2 = x3 + Ax + B mod p ∆ = 4A3 + 27B2 mod p where p is a prime number, and Zp is the set of integers {0, ..., p-1} with modulo p arithmetic Friday, 11 July 2014
  69. 69. Friday, 11 July 2014
  70. 70. Friday, 11 July 2014
  71. 71. Adding Points on a Curve Given two points P and Q on a elliptic curve, how can we produce a 3rd point R = P + Q, also on the curve? 1. If P ≠ Q, draw a line between P and Q extending it until it intersects the curve; If P = Q extend the tangent at P instead. This intersection point is -(P + Q), or -R 2. Draw a line from the intersection parallel to the y-axis until it intersects the curve again at R = P + Q Friday, 11 July 2014
  72. 72. P Q Case 0: Line between P & Q not parallel to y- axis Friday, 11 July 2014
  73. 73. P Q -R Case 0: Line between P & Q not parallel to y- axis Friday, 11 July 2014
  74. 74. P Q -R R Case 0: Line between P & Q not parallel to y- axis Friday, 11 July 2014
  75. 75. P Case 1: P = Q Friday, 11 July 2014
  76. 76. P -R Case 1: P = Q Friday, 11 July 2014
  77. 77. P -R R Case 1: P = Q Friday, 11 July 2014
  78. 78. P Q Case 2: Q = -P, line between P & Q parallel to y-axis Friday, 11 July 2014
  79. 79. P Q Case 2: Q = -P, line between P & Q parallel to y-axis R = Θ Friday, 11 July 2014
  80. 80. The set of all points on E over k, E(k), form a group (E(k), +) under the point addition operator. Recall, a group has the properties: P + Θ = Θ + P = P [Identity element] P + (-P) = Θ [Inverse element] P + (Q + R) = (P + Q) + R [Associative] P + Q E(k) [Closed] for all P, Q, R E(k) Point Addition Friday, 11 July 2014
  81. 81. Point Multiplication Multiplication of a point by a scalar integer is defined by n • P = P + P + ... + P Examples: 2P = P + P -3P = -3(P) = (-P) + (-P) + (-P) 0P = Θ Point multiplication is more efficient than general point addition. Friday, 11 July 2014
  82. 82. Elliptic Curve Cryptography Friday, 11 July 2014
  83. 83. Elliptic curve cryptography uses elliptic curves over finite fields A prime curve is defined over Zp A binary curve is defined over GF(2m) Hardware implementations of binary curve systems are both small & fast Prime curves are typically used in software implementations Friday, 11 July 2014
  84. 84. Discrete Logarithm Problem Problem: find k where xk = y where x, y in some group G Note that xk = x • x • ... • x (k times) If G is the set of points on an elliptic curve we define the elliptic discrete logarithm problem (ECDLP) as: given P, Q G find k where Q = k • P Friday, 11 July 2014
  85. 85. ECDLP Complexity The elliptic curve discrete logarithm problem is in NP and co-NP and not thought to be in NP-complete or NP-hard As key size increases performance of implementations decreases Friday, 11 July 2014
  86. 86. Domain Parameters p: The prime number which defines the field in which the curve operates, Fp. All point operations are taken modulo p. a, b: The two coefficients which define the curve. These are integers. G: The generator or base point. A distinct point of the curve which resembles the "start" of the curve. n: The order of the curve generator point G. h: The cofactor of the curve. It is the quotient of the number of curve-points, or #E(Fp), divided by n. Friday, 11 July 2014
  87. 87. Key Generation Generating a keypair for ECC is trivial. The private key is a random integer dA, such that 0 < dA < n Then we generate the public key QA using scalar point multiplication of the private key with the generator point G: QA = dA • G Note that the public and private key are not equally exchangeable (like in RSA, where both are integers): the private key dA is a integer, but the public key QA is a point on the curve. Friday, 11 July 2014
  88. 88. Encryption First choose a random number r so that 0 < r < n Then, calculate the “session” point R by multiplying r with the generator point of the curve: R = r . G We also generate a secret using the public key of the recipient: S = r . QA Now, R is publicly transmitted with the message and from the point S a symmetric key is derived with which the message is encrypted, e.g using AES. Friday, 11 July 2014
  89. 89. Decryption Given an encrypted message and session key R, how do you recover S to decrypt the message? S = dA . R = dA . (r . G) = r . (dA . G) = r . QA Friday, 11 July 2014
  90. 90. ECC security correlates to: Domain parameter generation and validation (poor curve choice) Small key sizes Even small differences in parameters can signifcantly change the security Caution! ! Friday, 11 July 2014
  91. 91. Theory-Based Attacks Brute-force O(2n/2) Baby-step giant-step O(√n) Function field sieves O(√n) Pollard’s ρ algorithm for logarithms O(~0.8√n) Shor’s algorithm for logarithms O((log n)3) Friday, 11 July 2014
  92. 92. Practical Attacks Side channel attacks (passive) Differential power analysis Timing attacks Zero-value point attacks Fault analysis attacks (active) Safe error analysis Invalid point & invalid curve analysis Friday, 11 July 2014
  93. 93. RSA vs. ECC Friday, 11 July 2014
  94. 94. Security ECC is not “more secure” than RSA They both utilise similar mathematical problems These problems are not NP-complete or NP-hard As (quantum) computers become more powerful both ECC and RSA are in trouble Friday, 11 July 2014
  95. 95. Performance 1. Shorter keys are as strong as long keys for RSA (in general 256-bit ECC is equivalent to 3072-bit RSA) 2. Low on CPU consumption. 3. Low on memory usage. 4. (2) & (3) => lower energy 5. Fast key generation 6. Processing ECC SSL certificates x2 faster Friday, 11 July 2014
  96. 96. Pairing Pairing allows for a 3-party key exchange and cryptography system Useful for example in financial transactions: buyer, seller, & bank Active area of research, especially in identity-based encryption (IBE), primarily using elliptic curves Friday, 11 July 2014
  97. 97. ECC “in the Wild” Friday, 11 July 2014
  98. 98. ECC & Java JCA • java.security • javax.security deprecated JCE • Oracle JCE + policies Legion of the Bouncycastle Friday, 11 July 2014
  99. 99. Standardised ECC NIST curve P-256 [Safe] y2 = x3- 3x + K modulo p = 2224 - 296 + 1 where K = 18958286285566608000408668544493926415504680968679321075787234672564 SECp256k1 [Unsafe] y2 = x3 + 7 modulo p = 2256 - 232 - 977 http://safecurves.cr.yp.to/ Friday, 11 July 2014
  100. 100. Curve25519 Is a high-speed Diffie-Hellman function growing in popularity and as the “default setting” Uses the curve given by y2 = x3 + 486662x2 + x over the prime field given by 2255 − 19, and the base point x = 9 Supported apps: http://ianix.com/pub/ curve25519-deployment.htmlFriday, 11 July 2014
  101. 101. The NSA & ECC Attack method: tampered with Dual EC_DRBG (a CSPRNG), which is part of the NIST SP 800-90A standard, to introduce a “backdoor” Attack summary: the CSPRNG did not generate random points P & Q on the curve meaning an attacker can recover the keys relatively easily from ciphertext Friday, 11 July 2014
  102. 102. The Pirate Bay & ECC Bit-torrent is a peer-2-peer file transfer protocol co-ordinated by centralised trackers Recently IPOs have sought IP and domain name blockades against index sites August 2013 PirateBrowser launched Coming soon: P2P darknet where authenticated index site DNS entries are mapped to their ECC public key Friday, 11 July 2014
  103. 103. Summary Friday, 11 July 2014
  104. 104. Summary Friday, 11 July 2014
  105. 105. Summary Friday, 11 July 2014
  106. 106. Summary Friday, 11 July 2014
  107. 107. Summary Friday, 11 July 2014
  108. 108. Summary Friday, 11 July 2014
  109. 109. Summary Friday, 11 July 2014
  110. 110. Summary Friday, 11 July 2014
  111. 111. Summary Friday, 11 July 2014
  112. 112. Summary Friday, 11 July 2014
  113. 113. Summary Friday, 11 July 2014
  114. 114. The Now RSA is still secure but consider using bigger keys soon ECC support is nearly universal (OS, browser, switches/routers/etc) ECC is growing because of faster performance not “better” security Attacks in the wild generally focus on implementations not the mathematical theory Friday, 11 July 2014
  115. 115. The Future ECC is a stepping stone technology Advances in mathematics, computing power and models threaten the security of ECC and RSA Lattice Cryptography will be the next generation of non-quantum cryptosystems Research in to NP-intermediate and the rest of the complexity landscape Friday, 11 July 2014
  116. 116. Thank you Friday, 11 July 2014
  117. 117. Resouces • Lance Fortnow “The Status of the P Versus NP Problem” http://cacm.acm.org/magazines/ 2009/9/38904-the-status-of-the-p-versus-np- problem • P. de Sautoy, “Music of the Primes” • https://blogs.rsa.com/secure-crypto-lucky- thirteen-attack/ • Bos, Joppe W., Marcelo E. Kaihara, and Peter L. Montgomery. "Pollard rho on the PlayStation 3." Workshop record of SHARCS. Vol. 9. 2009. Friday, 11 July 2014
  118. 118. Resouces • Joye, Marc, and Michael Tunstall. Fault Analysis in Cryptography. Springer, 2012 • Matthew Green “The Many Flaws of Dual_EC_DRBG”, http:// blog.cryptographyengineering.com/2013/09/the- many-flaws-of-dualecdrbg.html Friday, 11 July 2014
  119. 119. James McGivern ECC vs RSA: Battle of the Crypto-Ninjas Friday, 11 July 2014

×