Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
×

# Elliptic Curves in Cryptography

77 views

Published on

Boston CSNP - January 2020

Published in: Technology
• Full Name
Comment goes here.

Are you sure you want to Yes No
Your message goes here
• Be the first to comment

• Be the first to like this

### Elliptic Curves in Cryptography

1. 1. ELLIPTIC CURVES IN CRYPTOGRAPHY EMILY STAMM
2. 2. OUTLINE Cryptography Elliptic Curves Elliptic Curve Diffie-Hellman Key Exchange Quantum Computing Isogenies Supersingular Isogeny Diffie-Hellman
3. 3. INTRODUCTION
4. 4. WHAT IS CRYPTOGRAPHY ?  Cryptography from Greek kryptós “secret” and graphein ”write”  Secure communication in the presence of third parties  Confidentiality:restrict the access of information  Integrity:verify that data has not been altered (maliciously or accidentally)  Authentication:verify the identity of a party  Hard Math Problems:the strength of the algorithm relies on the hardness of some underlying math problem
5. 5. WHAT IS GOOD CRYPTOGRAPHY? Key Secrecy: secret piece of information used to uncover information Hard Math Problems:the strength of the algorithm relies on the hardness of some underlying math problem Proper Implementation: algorithms must be correctly implemented so as not to leak information
6. 6. PUBLIC KEY CRYPTOGRAPHY Public Key Cryptography:there is a public key and a private key  Asymmetric Encryption: data is encrypted with public key and can only be decrypted with the private key  e.g. RSA  Key Establishment:parties establish a shared secret key  e.g. Diffie-Hellman, RSA  Digital Signatures:data is signed with a private key and can be verified with the public key  e.g. RSA, DSA
7. 7. ELLIPTIC CURVES
8. 8. ELLIPTIC CURVE  An Elliptic Curve E (inWeierstrass form) is a curve consisting of solutions to the equation y2 = x3 + ax + b plus a ‘point at infinity’ denoted 0E where 4a3 + 27b2 nonzero
9. 9. ELLIPTIC CURVE ADDITION  We define Elliptic CurveAddition,an operation that takes two points P, Q on the curve and returns another point on the elliptic curve P + Q = R  Not coordinate-wise addition:adding the coordinates of two points does not produce another point on the elliptic curve  Instead, we define Elliptic CurveAddition geometrically by this rule: the sum of points on a line intersecting an elliptic curve is zero (point at infinity)  Points on Elliptic Curve with Elliptic CurveAddition form a group Hughes, 2019
10. 10. ELLIPTIC CURVE ADDITION Let’s sum P and Q…
11. 11. ELLIPTIC CURVE ADDITION We draw a line through P and Q P + Q + R = 0E So P + Q = - R
12. 12. ELLIPTIC CURVE ADDITION We draw a vertical line through R R + (-R) + 0E = 0E - R = (-R) P + Q = - R
13. 13. ELLIPTIC CURVE ADDITION Lets sum P and P…
14. 14. ELLIPTIC CURVE ADDITION Draw a line tangent to P Intersects at R so P + P + R = 0E
15. 15. ELLIPTIC CURVE ADDITION We draw a vertical line through R R + (-R) + 0E = 0E - R = (-R) P + P = - R
16. 16. ELLIPTIC CURVE MULTIPLICATION  We define elliptic curve multiplication-by-n map that takes a point P and produces a point [n]P = Q on the elliptic curve by repeatedly adding P to itself [n]P = P + P + … + P (n times) Leuven, 2019
17. 17. ELLIPTIC CURVES OVER FINITE FIELDS  In cryptography,we care about Elliptic Curves over finite fields, meaning we look at the same equation but modulo q  An (Weierstrass) Elliptic Curve E over finite field Fq consists of points satisfying y2 = x3 + ax + b (mod q) along with point at infinity 0E where 4a3 + 27b2 nonzero modulo q  Each x-coordinate has 2 y-coordinates equally spaced from from horizontal line y = q/2 Corbellini, 2015 Graph of E:y2 = x3 - 7x + 10 (mod q) where q = 19,97,127,487
18. 18. ELLIPTIC CURVES OVER FINITE FIELDS TORUS  The symmetries are better understood when viewed as points on a torus  We can still perform EC Addition (and hence EC Multiplication) by drawing a line through points Hughes, 2019
19. 19. ELLIPTIC CURVE CRYPTOGRAPHY
20. 20. ELLIPTIC CURVE CRYPTOGRAPHY  Public key cryptography based on elliptic curves includes  Elliptic Curve Digital Signature Algorithm (ECDSA)  Elliptic Curve Diffie-Hellman (ECDH)  Elliptic Curve Integrated Encryption Scheme (ECIES)  Classical Cryptography,very similar to RSA,but instead of multiplicative group of integers using additive elliptic curve group  Hardness is based on solving the Elliptic Curve Discrete Log Problem  ECC compared to RSA has  Smaller key sizes for the same security parameters  Flexible: many parameters can be switched or adjusted including the curve used and modulus  Better security,as there is a classical sub-exponential algorithm for regular Discrete Log but not for solving EC Discrete Log  Libraries  PyCryptodome  NaCl  OpenSSL de Quehen, 2018
21. 21. Alice Bob Alice Private Key Integer a Bob Private Key Integer b A B K Bob sends B to Alice Alice sends A to Bob Alice compute A = a[G] Bob compute secret point K = b[A] Bob compute B = b[G] Alice computes secret point K = a[B] Eve can only find K if she can solve Elliptic Curve Discrete Log Problem: Given A, G, find a such that A = a[G] Eve Public Key • Prime q • Elliptic Curve E: y2 = x3+ax+b • Generator G of E(Fq)G Elliptic Curve Diffie-Hellman
22. 22. JANUARY 2020 CRITICAL WINDOWSVULNERABILITY  CriticalVulnerability in Windows Crypt32.dll  Allows for devastating spoofing attack on ECDSA  This is an attack on an incorrect implementation of ECDSA, not elliptic the algorithm or mathematics itself  The SignatureVerification algorithm does not verify that the correct generating point G is used  Allowing an attacker to create their own public point G’ for the same curve and other public parameters,but they now have their own private key
23. 23. QUANTUM COMPUTING
24. 24. QUANTUM COMPUTING & CRYPTOGRAPHY  A Quantum Computer is a new type of computer based on quantum physics rather than classical physics  Fundamental unit is a qubit or quantum bit that can be any linear combination of 0 and 1  Take advantage of quantum phenomenon to perform some tasks much more efficiently  E.g. entanglement, parallelism, interference  Quantum algorithms exist that can break our current public key cryptography (RSA, ECC) based on the abelian hidden subgroup problem by efficiently finding the period IBM Q Cryostat used to keep IBM’s 50-qubit quantum computer cold DWAVE Quantum Computer
25. 25. POST-QUANTUM CRYPTOGRAPHY NIST competition to choose new Public Key Cryptography, cryptography that runs on our current computers but is conjectured to be secure against quantum and classical attacks  Lattice-Based Cryptography: learning with errors;find the shortest vector on a lattice  Code-Based Cryptography:error correcting codes  Multivariate Cryptography:equations in multiple variables  Hash-Based Cryptography:hashed functions  Isogeny-Based Cryptography:maps between elliptic curves
26. 26. ISOGENIES MAPS BETWEEN ELLIPTIC CURVES
27. 27. ISOGENY  An isogeny is a rational map f : E1 → E2 between elliptic curves  Group Morphism: f preserves the elliptic curve group structure  If an isogeny exists, we say that E1 and E2 are isogenous  Being isogenous is an equivalence relation  Isogenies f : E1 → E2  correspondence→kernel of i.e. ker(f) = {P in E1 : f(P) = 0}  We say an isogeny f is of degree l (or l -isogeny) if kernel of f contains l points (# ker(f) = l )
28. 28. ORDINARY AND SUPERSINGULAR  We define the endomorphism ring of E to be all the isogenies from E to E: End(E) = {f : E → E | f is an isogeny}  We can classify elliptic curves as  Ordinary:End(E) is an order in a quadratic imaginary number field – abelian  Supersingular:End(E) is a maximal order in a quaternion algebra – non-abelian  Isogenies graphs  Nodes: Elliptic Curves (labeled by j-invariant)  Edges: l–Isogenies  Note: any two curves on the graph are isogenous (because being isogenous is an equivalence relation) but neighbors are l –isogenous  Ordinary isogeny graphs have a nice volcano structure  Supersingular isogeny graphs are messy Ramanujan graphs  l + 1 regular graphs Supersingular IsogenyGraph Lauter, 2017 Ordinary Isogeny Graph De Feo, Kieffer, Smith, 2018
29. 29. SIDH SUPERSINGULAR ISOGENY DIFFIE- HELLAN
30. 30. ISOGENY-BASED CRYPTOGRAPHY  Public key cryptography based on maps between elliptic curves  Post-Quantum Cryptography:conjectured to be secure against quantum attacks  Hardness based on Path Finding in Supersingular Isogeny Graphs  i.e. given elliptic Curves E1, E2, find an isogeny between them  Compared to other forms of cryptography  Very new technology based on a very different but well understood math problem  Small key sizes  Slower than other post-quantum cryptography, but has not been optimized  Libraries  Microsoft PQCrypto-SIDH  CloudFlare Leuven, 2019
31. 31. Alice Bob Alice Private Key Point on E: A Isogeny f : E → E/<A> Bob Private Key Point on E: B Isogeny g : E → E/<B>=EB E/<A> E/<B> (E/<B>)/<A> = E/<A,B> = (E/<A>)/<B> E, supersingular elliptic curve f’ : E/ <B> → (E/<B>)/<A> E/<B> E/<A>, g' : E /<A> → (E/<A>)/<B> Supersingular Elliptic Curve DH (Wrong)
32. 32. Alice Alice Private Key Point on E: A Isogeny f : E → E/<A> E/<A> E/<A,B> f’ : E/ <B> → E/<A,B> = (E/<B>)/<A> E/<B> • Problem: <A> is a subgroup of E, not E/<B> • <g(A)> is a subgroup of E/<B> • So really,E/<A,B> = (E/<B>)/<g(A)> • But Alice doesn’t know g – that’s Bob’s private key. Alice doesn’t want to sendA – that’s her private key • How do we compute g(A) ? Bob Private Key Point on E: B Isogeny g : E → E/<B>=EB E Supersingular Elliptic Curve DH (Wrong)
33. 33. Alice Alice Private Key Integers m and n Point A = [m]P +[n]Q Isogeny f : E → E/<A> E/<A> E/<A,B> E f’ : E/ <B> → E/<A,B> = (E/<B>)/< g( A)> E/<B>, g(P), g(Q) • Solution:Create private point A as a secret linear combination of two public points P, Q • Now Bob can send Alice g(P), g(Q) • Which Alice can use to compute g(A) as follows: • g(A) = g(mP + nQ) = [m]g(P)+ [n] g(Q) because g preserves group structure • Now Alice can get • E/<A,B> = (E/<B>)/< g( A)> Bob Private Key Integers mB, nB Point B = [mB]PB +[nB]QB Isogeny g : E → E/<B> Supersingular Elliptic Curve DH
34. 34. Alice Bob E/<A> E/<B> Velu’s Formula to get f’ f’ : E/ <B> → (E/<B>)/<g(A)> E/<B>, PB, QB , g(P), g(Q) E/<A>, P, Q, f(PB ), f(QB) g' : E /<A> → (E/<A>)/<f(B)> Alice Private Key Integers m and n Point A = [m]P +[n]Q Isogeny f : E → E/<A> Bob Private Key Integers mB, nB Point B = [mB]PB +[nB]QB Isogeny g : E → E/<B> (E/<B>)/<g(A)> = E/<A,B> = (E/<A>)/<f(B)> E, supersingular elliptic curve E/<B> E/<A> Supersingular Elliptic Curve DH
35. 35. Alice Bob Alice Private Key Integers mA, nA Point A = [mA]PA +[nA]QA Isogeny f : E → E/<A>=EA Alice sends curve EA and points RA,SA Bob compute new points on EB RB = g(PA) and SB= g(QA) Eve Supersingular Isogeny Diffie-Hellman Shared Secret Key K K = j-invariant of E/<A,B> Alice compute new isogeny with kernel = <A,B> E → EB/ <g(A)> = E/<A,B> Eve can only find K if she can compute g(A) or f(B) which she can get g or f she can find the isogeny between E and EA or EB • Primes lA, lB, and p = lA d lB e f + 1 • Supersingular Elliptic Curve E over Fq, q = p2 • Points PA, QA (basis for lA d torsion subgroup) • Points PB, QB (basis for lB e torsion subgroup) Bob Private Key Integers mB, nB Point B = [mB]PB +[nB]QB Isogeny g : E → E/<B>=EB Alice compute new points on EA RA = f(PB) and SA= f(QB) Bob sends curve EB and points RB, SB Bob compute new isogeny with kernel = <A,B> E → EA/ <f(B)> = E/<A,B> Shared Secret Key K K = j-invariant of E/<A,B> Public Key
36. 36. WHAT DOES THIS HAVETO DO WITH PATH FINDING? Leuven, 2019
37. 37. CONCLUSIONS Cryptography: Secure communication in the presence of third parties. Public Key Cryptography: cryptography using two keys,a public and private key (or two private in DH) Elliptic Curves: a mathematical curve represented by equation in two variable (x cubic, y quadratic). Can define elliptic curve addition by stating that the sum of points on a line is 0. This forms an additive group. Elliptic Curve Diffie-Hellman: a way to create a shared secret using elliptic curve additive group instead of the usual integers mod m. Hardness is based on Elliptic Curve Discrete Log Problem Quantum Computing: A new form of computing that uses quantum physics. Can perform certain tasks much more efficiently, such as solving the (EC) Discrete Log Problem and hence breaks classical public key cryptography. Isogenies:maps between elliptic curves that preserve structure. We can create Isogeny Graphs, the nodes = elliptic curves edges = isogenies Ordinary (simple volcano graph) Supersingular (messy graph) Supersingular Isogeny Diffie-Hellman: does not have the same abelian structure and is conjectured to be quantum –resistant. Public Key:Elliptic curve, primes, points Private Key: secret isogeny (map) with kernel generated by secret point
38. 38. THANK YOU  Emily Stamm  Security Researcher at Allstate  CSNPVice President  For more information on CSNP:  Websitecsnp.org  Instagram: cybersecuritynp Contact Info • Email:emily.stamm@cnsp.org • LinkedIn: linkedin.com/in/emily-stamm/ • Instagram:instagram.com/crypto.emily
39. 39. REFERENCES  Mark Hughes, How Elliptic Curve CryptographyWorks,2019 https://www.allaboutcircuits.com/technical- articles/elliptic-curve-cryptography-in-embedded-systems/  Andrea Corbellini, Elliptic Curve Cryptography:finite fields and discrete logarithms, 2015 https://andrea.corbellini.name/2015/05/23/elliptic-curve-cryptography-finite-fields-and-discrete-logarithms/  Ku Leuven,ELLIPTIC CURVESARE QUANTUM DEAD, LONG LIVE ELLIPTIC CURVES, 2019 CURVEShttps://www.esat.kuleuven.be/cosic/elliptic-curves-are-quantum-dead-long-live-elliptic-curves/  Kristen Lauter,“Where cryptography and quantum computing intersect”, Microsoft Research Blog, 2017 https://www.microsoft.com/en-us/research/blog/tag/supersingular-isogeny-graphs/  Victoria de Quehen, Security Researcher,ISARA Corporation,2018 https://www.isara.com/isogeny-based-cryptography/  https://arstechnica.com/information-technology/2020/01/researcher-develops-working-exploit-for-critical- windows-10-vulnerability/