Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

Like this presentation? Why not share!

- Elliptic Curve Cryptography by Kelly Bresnahan 788 views
- Elliptic Curve Cryptography and Zer... by Arunanand Ta 3262 views
- Elliptic Curves and Elliptic Curve ... by Md. Al-Amin Khand... 461 views
- Elliptic curvecryptography Shane Al... by Information Secur... 2237 views
- Elliptic curve cryptography by Cysinfo Cyber Sec... 1300 views
- Introducing Bitcoin :: The (Mostly)... by Mark Smalley 29854 views

11,877 views

Published on

Caveat - without the video these slides can be taken out of context, see Parleys for the full video.

RSA is the oldest kid in the public-key cryptography playground, and its position of toughest and fastest is under sharp competition from ECC (Elliptic Curve Cryptography). We look at the mathematical difference between the two cryptosystems, showing why ECC is faster and “harder” than RSA, but also very energy efficient hence its unique advantage in the mobile space. We show how to use ECC in your Java and Android applications. Before finally summarising the “state of the union” for RSA and ECC in the light of the Snowden leaks, and the likely near-future for public-key cryptography.

Published in:
Technology

No Downloads

Total views

11,877

On SlideShare

0

From Embeds

0

Number of Embeds

71

Shares

0

Downloads

0

Comments

0

Likes

31

No embeds

No notes for slide

- 1. James McGivern ECC vs RSA: Battle of the Crypto-Ninjas Friday, 11 July 2014
- 2. About James Friday, 11 July 2014
- 3. About James Mathematician turned Computer Scientist Technical Evangelist Lives in London Talks fast Likes cats Hates Marmite Friday, 11 July 2014
- 4. Friday, 11 July 2014
- 5. Objectives the basics: terminology, concepts, etc symmetric vs. asymmetric cryptography RSA overview theory of elliptic curves elliptic curve cryptography (ECC) RSA vs. ECC (performance, security, etc) using ECC ECC “in the wild” Friday, 11 July 2014
- 6. Please Note Aim: to provide enough basic information to “springboard” your own forays into cryptography No: History lessons (but maybe a tangent or two) Proofs - rigourous or otherwise Key exchange protocols I work for Cisco but all the views in this presentation are mine and do not reﬂect the views of Cisco. Friday, 11 July 2014
- 7. Cryptography: Refresh Friday, 11 July 2014
- 8. All Hail Claude Shannon Godfather of: - Communication theory - Information Theory - Digital Computing & Digital Circuit Design - Modern cryptography Proved that the cryptographic one-time pad is unbreakable "the enemy knows the system" Friday, 11 July 2014
- 9. Terminology A plaintext document is encrypted with a cipher to produce ciphertext Decryption is the reverse of encryption A cipher may utilise 1 or more keys Friday, 11 July 2014
- 10. Cryptanalysis Crypto-ninjas need to be constantly vigilant for attack Friday, 11 July 2014
- 11. Cryptanalysis can be classiﬁed by: Friday, 11 July 2014
- 12. Cryptanalysis can be classiﬁed by: Computational resource requirements Friday, 11 July 2014
- 13. Cryptanalysis can be classiﬁed by: Computational resource requirements Degree of information exposure Friday, 11 July 2014
- 14. Cryptanalysis can be classiﬁed by: Computational resource requirements Degree of information exposure Degree of cryptosystem penetration Friday, 11 July 2014
- 15. Cryptanalysis can be classiﬁed by: Computational resource requirements Degree of information exposure Degree of cryptosystem penetration Do not underestimate: stupidity, spies, traitors and other forms of social engineering Friday, 11 July 2014
- 16. Diffusion is a measure of the difference between the statistical structure of the plaintext and the ciphertext Friday, 11 July 2014
- 17. Diffusion is a measure of the difference between the statistical structure of the plaintext and the ciphertext Confusion is a measure of the complexity of the relationship between the ciphertext and the key(s) Friday, 11 July 2014
- 18. Diffusion is a measure of the difference between the statistical structure of the plaintext and the ciphertext Confusion is a measure of the complexity of the relationship between the ciphertext and the key(s) Friday, 11 July 2014
- 19. Kerckhoff’s Principle “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge” Friday, 11 July 2014
- 20. Warning! ! Even crypto-ninjas can’t herd cats Friday, 11 July 2014
- 21. Cipher Classical Substitution Transposition Rotor Machines Modern Symmetric (public key) Asymmetric (private key) Stream Block A Cipher Class Diagram Friday, 11 July 2014
- 22. http://xkcd.com/927 Friday, 11 July 2014
- 23. Cryptographic Standards Created by “trusted” authorities, e.g. NIST (US), ENISA (EU), CESG/HMG (UK) Deﬁnes speciﬁc implementations of algorithms & protocols, including: key sizes random number & seed generators algorithm parameters Allows in-depth cryptanalysis Ensures support in hardware and software applications Friday, 11 July 2014
- 24. Symmetric vs. Asymmetric Encryption Friday, 11 July 2014
- 25. Alice Bob Symmetric Friday, 11 July 2014
- 26. Alice Bob Symmetric Friday, 11 July 2014
- 27. Alice Bob Symmetric Friday, 11 July 2014
- 28. Alice Bob Symmetric Friday, 11 July 2014
- 29. Alice Bob Symmetric Friday, 11 July 2014
- 30. Alice Bob Symmetric Friday, 11 July 2014
- 31. Alice Bob Asymmetric Friday, 11 July 2014
- 32. Alice Bob Asymmetric Friday, 11 July 2014
- 33. Alice Bob Asymmetric Friday, 11 July 2014
- 34. Alice Bob Asymmetric Friday, 11 July 2014
- 35. Alice Bob Asymmetric Friday, 11 July 2014
- 36. Alice Bob Asymmetric Friday, 11 July 2014
- 37. Alice Bob Asymmetric Friday, 11 July 2014
- 38. Alice Bob Asymmetric Friday, 11 July 2014
- 39. Alice Bob Asymmetric Friday, 11 July 2014
- 40. Trapdoor Functions Friday, 11 July 2014
- 41. The Mountains of Complexity Friday, 11 July 2014
- 42. Turing Machines S - set of symbols Q - set of states q0 - the initial state, q0 Q F - the set of ﬁnal states, F ⊆ Q δ - the transition function Friday, 11 July 2014
- 43. Decisions, Decisions, Decisions Given some formal system, a decision problem is a statement that is either true or false. E.g. Given any 2 integers x and y, is (x/y) mod 2 = 0? Is the real part of any non-trivial zero of the Riemann zeta function 1/2? Does a given algorithm return a value within a ﬁnite amount of time? Friday, 11 July 2014
- 44. P & NP Decision problems in P can be solved in polynomial time on a deterministic Turing machine. sorting lists, shortest path problem A decision problem is in NP if a solution can be veriﬁed in polynomial time on a non-deterministic Turing machine. multi-body collision detection Friday, 11 July 2014
- 45. NP-Hard & NP-Complete Not all problems in NP are equal! NP-complete problems are “the hardest problems in NP” A decision problem D is NP-complete if: 1. D is in NP 2. Every problem in NP is reducible to D in polynomial time If only (2) is true then D is NP-hard Friday, 11 July 2014
- 46. P versus NP Friday, 11 July 2014
- 47. RSA Dojo Friday, 11 July 2014
- 48. Is a fundamental part of HTTPS/SSL Based on the Integer Factorisation Problem Believed to be in NP and co-NP but not NP-complete A factor is a number that divides evenly into another number, e.g. 20 has factors { 1, 2, 5, 10 } Friday, 11 July 2014
- 49. Primes, Co-Primes A prime number is a natural number greater than 1 with no positive divisors except itself and 1 Two numbers p, q are co-prime iff the greatest common divisor is 1, i.e gcd(p,q) = 1 Examples: gcd(15, 10) = 5 gcd(16, 10) = 2 gcd(17, 10) = 1 Friday, 11 July 2014
- 50. Integer Factorisation Problem The fundamental theorem of arithmetic, proves every positive integer has a unique prime decomposition: n = Σ pq Where n, p, q are integers and p are prime numbers Examples: 15 = 5 * 3 20 = 5 * 22 Friday, 11 July 2014
- 51. Totatives & Euler’s Totients A number t is a totative of n iff 0 < t < n and gcd(t,n) = 1 Euler’s totient function of a number n is given by φ(n) = |T(n)|, where T(n) is the set of all totatives of n Example: if n = 9, then T(n) = {1, 2, 4, 5, 7, 8} φ(9) = |T(9)| = 6 Friday, 11 July 2014
- 52. RSA Key Generation Choose two prime number p and q Compute n = pq Compute φ(n) = φ(p) φ(q) = (p - 1)/(q - 1) Chose an integer e s.t. 1 < e < φ(n) & gcd(e, φ(n)) = 1 Compute d = 1 / e(mod F(n)) Public Key = (e, n) Private Key = (e, d) Friday, 11 July 2014
- 53. Encryption Given a message M convert to an integer m s.t. 0 < m < n using a padding protocol, the ciphertext c is generated by: c = me (mod n) Decryption Given a ciphertext c compute m = cd (mod n) and recover M by reversing the padding protocol on m Friday, 11 July 2014
- 54. Caution! ! Picking the prime numbers is hard If p or q are too small or too close to each other it greatly decreases the security If p-1 or q-1 only has small prime factors n can be factored in polynomial time Friday, 11 July 2014
- 55. Theory-based Attacks Trial division Euler’s algorithm Fermat’s algorithm Wheel factorisation Quadratic sieve General number ﬁeld sieve Pollard’s ρ algorithm Shor’s algorithm Friday, 11 July 2014
- 56. Practical Attacks Man-in-the-Middle: BEAST - faulty cipher attack CRIME & BREACH - secure cookie compression attack Side-Channel: Lucky13 - padding attack Bug: Heartbleed - buffer overﬂow Friday, 11 July 2014
- 57. A Detour through the Garden of Mathematics Friday, 11 July 2014
- 58. Abstract Algebra An algebraic structure is composed of one or more sets with one or more n-ary functions deﬁned on them. Underpins a great deal of modern sciences: codes, symmetries, dynamical systems A beautiful example of mathematics at work Friday, 11 July 2014
- 59. NOTA BENE! ! Mathematics is a precise language, the notation less so Different branches of maths use the same symbol to mean different things There are some “rules” which if you don’t know can be confusing In abstract algebra we use + and • which are not always numeric addition and multiplication Mathematicians are lazy: a • b = ab Friday, 11 July 2014
- 60. A group G is a pair G(S, •) where S is a set and • a binary operator that satisﬁes: Closed: ∀ a, b S then a • b S Associative: ∀ a, b, c S then (a • b) • c = a • (b • c) Identity element: e S s.t ∀ a S e • a = a • e = a Inverse element: ∀ a S, b S s.t a • b = b • a = e Groups E E Friday, 11 July 2014
- 61. A group G(S, •) is an abelian group (or commutative group) if it also satisﬁes the commutativity condition: ∀ a, b S then a • b = b • a Abelian Groups Friday, 11 July 2014
- 62. A ring R is a tuple R(S,+,•) if it satisﬁes the 8 ring axioms: 1-4 (S,+) is an abelian group 5-6 (S,•) is a monoid 7-8 distributivity If the • operator is commutative then R is a commutative ring Rings Friday, 11 July 2014
- 63. A ﬁeld F is a tuple F(S,+,•) where F(S,+) and F(S,•) are abelian groups, and the distributivity property is satisﬁed, i.e. ∀ a, b, c S then: a • (b + c) = (a • b) + (a • c) (a + b) • c = (a • c) + (b • c) Every ﬁeld is a ring but not every ring a ﬁeld Fields Friday, 11 July 2014
- 64. Mathematics of Elliptic Curves Friday, 11 July 2014
- 65. Foreword Elliptic curves have (almost) nothing to do with ellipses, so put ellipses and conic sections out of your thoughts Friday, 11 July 2014
- 66. An elliptic curve E deﬁned over a ﬁeld k is a curve given by the equation y2 = x3 + Ax + B where the discriminant ∆ = 4A3 + 27B2 must be non-zero and A, B, x, y in k. We deﬁne E(k), together with the point at inﬁnity Θ, as the set of all points on E over k. Friday, 11 July 2014
- 67. An elliptic curve is given by the Weierstrass equation: y2 + Axy + By = x3 + Cx2 + Dx + E where A, B, C, D, E, x, y in k But we generally consider the cases where A, B, C are zero => ∆ = 0 Lies Lies Lies Friday, 11 July 2014
- 68. Elliptic Curves Over Prime Fields An elliptic curve E deﬁned over Zp is given by the equation y2 = x3 + Ax + B mod p ∆ = 4A3 + 27B2 mod p where p is a prime number, and Zp is the set of integers {0, ..., p-1} with modulo p arithmetic Friday, 11 July 2014
- 69. Friday, 11 July 2014
- 70. Friday, 11 July 2014
- 71. Adding Points on a Curve Given two points P and Q on a elliptic curve, how can we produce a 3rd point R = P + Q, also on the curve? 1. If P ≠ Q, draw a line between P and Q extending it until it intersects the curve; If P = Q extend the tangent at P instead. This intersection point is -(P + Q), or -R 2. Draw a line from the intersection parallel to the y-axis until it intersects the curve again at R = P + Q Friday, 11 July 2014
- 72. P Q Case 0: Line between P & Q not parallel to y- axis Friday, 11 July 2014
- 73. P Q -R Case 0: Line between P & Q not parallel to y- axis Friday, 11 July 2014
- 74. P Q -R R Case 0: Line between P & Q not parallel to y- axis Friday, 11 July 2014
- 75. P Case 1: P = Q Friday, 11 July 2014
- 76. P -R Case 1: P = Q Friday, 11 July 2014
- 77. P -R R Case 1: P = Q Friday, 11 July 2014
- 78. P Q Case 2: Q = -P, line between P & Q parallel to y-axis Friday, 11 July 2014
- 79. P Q Case 2: Q = -P, line between P & Q parallel to y-axis R = Θ Friday, 11 July 2014
- 80. The set of all points on E over k, E(k), form a group (E(k), +) under the point addition operator. Recall, a group has the properties: P + Θ = Θ + P = P [Identity element] P + (-P) = Θ [Inverse element] P + (Q + R) = (P + Q) + R [Associative] P + Q E(k) [Closed] for all P, Q, R E(k) Point Addition Friday, 11 July 2014
- 81. Point Multiplication Multiplication of a point by a scalar integer is deﬁned by n • P = P + P + ... + P Examples: 2P = P + P -3P = -3(P) = (-P) + (-P) + (-P) 0P = Θ Point multiplication is more efﬁcient than general point addition. Friday, 11 July 2014
- 82. Elliptic Curve Cryptography Friday, 11 July 2014
- 83. Elliptic curve cryptography uses elliptic curves over ﬁnite ﬁelds A prime curve is deﬁned over Zp A binary curve is deﬁned over GF(2m) Hardware implementations of binary curve systems are both small & fast Prime curves are typically used in software implementations Friday, 11 July 2014
- 84. Discrete Logarithm Problem Problem: ﬁnd k where xk = y where x, y in some group G Note that xk = x • x • ... • x (k times) If G is the set of points on an elliptic curve we deﬁne the elliptic discrete logarithm problem (ECDLP) as: given P, Q G ﬁnd k where Q = k • P Friday, 11 July 2014
- 85. ECDLP Complexity The elliptic curve discrete logarithm problem is in NP and co-NP and not thought to be in NP-complete or NP-hard As key size increases performance of implementations decreases Friday, 11 July 2014
- 86. Domain Parameters p: The prime number which deﬁnes the ﬁeld in which the curve operates, Fp. All point operations are taken modulo p. a, b: The two coefﬁcients which deﬁne the curve. These are integers. G: The generator or base point. A distinct point of the curve which resembles the "start" of the curve. n: The order of the curve generator point G. h: The cofactor of the curve. It is the quotient of the number of curve-points, or #E(Fp), divided by n. Friday, 11 July 2014
- 87. Key Generation Generating a keypair for ECC is trivial. The private key is a random integer dA, such that 0 < dA < n Then we generate the public key QA using scalar point multiplication of the private key with the generator point G: QA = dA • G Note that the public and private key are not equally exchangeable (like in RSA, where both are integers): the private key dA is a integer, but the public key QA is a point on the curve. Friday, 11 July 2014
- 88. Encryption First choose a random number r so that 0 < r < n Then, calculate the “session” point R by multiplying r with the generator point of the curve: R = r . G We also generate a secret using the public key of the recipient: S = r . QA Now, R is publicly transmitted with the message and from the point S a symmetric key is derived with which the message is encrypted, e.g using AES. Friday, 11 July 2014
- 89. Decryption Given an encrypted message and session key R, how do you recover S to decrypt the message? S = dA . R = dA . (r . G) = r . (dA . G) = r . QA Friday, 11 July 2014
- 90. ECC security correlates to: Domain parameter generation and validation (poor curve choice) Small key sizes Even small differences in parameters can signifcantly change the security Caution! ! Friday, 11 July 2014
- 91. Theory-Based Attacks Brute-force O(2n/2) Baby-step giant-step O(√n) Function ﬁeld sieves O(√n) Pollard’s ρ algorithm for logarithms O(~0.8√n) Shor’s algorithm for logarithms O((log n)3) Friday, 11 July 2014
- 92. Practical Attacks Side channel attacks (passive) Differential power analysis Timing attacks Zero-value point attacks Fault analysis attacks (active) Safe error analysis Invalid point & invalid curve analysis Friday, 11 July 2014
- 93. RSA vs. ECC Friday, 11 July 2014
- 94. Security ECC is not “more secure” than RSA They both utilise similar mathematical problems These problems are not NP-complete or NP-hard As (quantum) computers become more powerful both ECC and RSA are in trouble Friday, 11 July 2014
- 95. Performance 1. Shorter keys are as strong as long keys for RSA (in general 256-bit ECC is equivalent to 3072-bit RSA) 2. Low on CPU consumption. 3. Low on memory usage. 4. (2) & (3) => lower energy 5. Fast key generation 6. Processing ECC SSL certiﬁcates x2 faster Friday, 11 July 2014
- 96. Pairing Pairing allows for a 3-party key exchange and cryptography system Useful for example in ﬁnancial transactions: buyer, seller, & bank Active area of research, especially in identity-based encryption (IBE), primarily using elliptic curves Friday, 11 July 2014
- 97. ECC “in the Wild” Friday, 11 July 2014
- 98. ECC & Java JCA • java.security • javax.security deprecated JCE • Oracle JCE + policies Legion of the Bouncycastle Friday, 11 July 2014
- 99. Standardised ECC NIST curve P-256 [Safe] y2 = x3- 3x + K modulo p = 2224 - 296 + 1 where K = 18958286285566608000408668544493926415504680968679321075787234672564 SECp256k1 [Unsafe] y2 = x3 + 7 modulo p = 2256 - 232 - 977 http://safecurves.cr.yp.to/ Friday, 11 July 2014
- 100. Curve25519 Is a high-speed Difﬁe-Hellman function growing in popularity and as the “default setting” Uses the curve given by y2 = x3 + 486662x2 + x over the prime ﬁeld given by 2255 − 19, and the base point x = 9 Supported apps: http://ianix.com/pub/ curve25519-deployment.htmlFriday, 11 July 2014
- 101. The NSA & ECC Attack method: tampered with Dual EC_DRBG (a CSPRNG), which is part of the NIST SP 800-90A standard, to introduce a “backdoor” Attack summary: the CSPRNG did not generate random points P & Q on the curve meaning an attacker can recover the keys relatively easily from ciphertext Friday, 11 July 2014
- 102. The Pirate Bay & ECC Bit-torrent is a peer-2-peer ﬁle transfer protocol co-ordinated by centralised trackers Recently IPOs have sought IP and domain name blockades against index sites August 2013 PirateBrowser launched Coming soon: P2P darknet where authenticated index site DNS entries are mapped to their ECC public key Friday, 11 July 2014
- 103. Summary Friday, 11 July 2014
- 104. Summary Friday, 11 July 2014
- 105. Summary Friday, 11 July 2014
- 106. Summary Friday, 11 July 2014
- 107. Summary Friday, 11 July 2014
- 108. Summary Friday, 11 July 2014
- 109. Summary Friday, 11 July 2014
- 110. Summary Friday, 11 July 2014
- 111. Summary Friday, 11 July 2014
- 112. Summary Friday, 11 July 2014
- 113. Summary Friday, 11 July 2014
- 114. The Now RSA is still secure but consider using bigger keys soon ECC support is nearly universal (OS, browser, switches/routers/etc) ECC is growing because of faster performance not “better” security Attacks in the wild generally focus on implementations not the mathematical theory Friday, 11 July 2014
- 115. The Future ECC is a stepping stone technology Advances in mathematics, computing power and models threaten the security of ECC and RSA Lattice Cryptography will be the next generation of non-quantum cryptosystems Research in to NP-intermediate and the rest of the complexity landscape Friday, 11 July 2014
- 116. Thank you Friday, 11 July 2014
- 117. Resouces • Lance Fortnow “The Status of the P Versus NP Problem” http://cacm.acm.org/magazines/ 2009/9/38904-the-status-of-the-p-versus-np- problem • P. de Sautoy, “Music of the Primes” • https://blogs.rsa.com/secure-crypto-lucky- thirteen-attack/ • Bos, Joppe W., Marcelo E. Kaihara, and Peter L. Montgomery. "Pollard rho on the PlayStation 3." Workshop record of SHARCS. Vol. 9. 2009. Friday, 11 July 2014
- 118. Resouces • Joye, Marc, and Michael Tunstall. Fault Analysis in Cryptography. Springer, 2012 • Matthew Green “The Many Flaws of Dual_EC_DRBG”, http:// blog.cryptographyengineering.com/2013/09/the- many-ﬂaws-of-dualecdrbg.html Friday, 11 July 2014
- 119. James McGivern ECC vs RSA: Battle of the Crypto-Ninjas Friday, 11 July 2014

No public clipboards found for this slide

×
### Save the most important slides with Clipping

Clipping is a handy way to collect and organize the most important slides from a presentation. You can keep your great finds in clipboards organized around topics.

Be the first to comment