Elliptic Curve Cryptography and Zero Knowledge Proof

Elliptic Curve Cryptography and
Zero Knowledge Proof
Nimish Joseph

AGENDA
•
•
•
•
•
•

Mathematical Foundations
Public Key Cryptography
Elliptic Curve
Elliptic Curve Cryptography
Elliptic Curve over Prime Fields
Zero Knowledge Proof

06-Nov-2013

ECC and Zero Knowledge Proof

2

Mathematical Background for
Cryptography
• Modulo Arithmetic
d=n*q + r, 0 ≤r<n.
we say this as “d is equal to r modulo n”
r ≡ d (mod n)
5 ≡ 26 (mod 7)

06-Nov-2013


4

Group
• Basic algebraic structure
• A pair <G,*>, where G is a set and * is a binary
operation such that the following hold
Closure
Associativity
Identity Element
Inverse
< Zn, +n >
06-Nov-2013


5

Ring
A triplet < R, +, *>, where + and * are binary operations and R
is a set satisfying the following properties:
<R, +> is a commutative group
For all x, y, and z in R
x*y is also in R
x*(y*z)=(x*y)*z
x*(y+z)= (x*y)+(x*z )
< Zn, +n, *n>

06-Nov-2013


6

Fields
• <R, +, * > is a commutative ring with :
R has a multiplicative identity
Each element, x, in R (except for 0) has an
inverse element in R , denoted by x-1
<Zn, +n, *n > where n is prime.
06-Nov-2013


7

Cryptography - Basics
• Private Key Cryptography

• Public Key Cryptography

06-Nov-2013


8

Public-Key Cryptosystems

Authentication: Only A can
generate the encrypted message
06-Nov-2013


Secrecy: Only B can Decrypt
the message
9

Public-Key Cryptography

06-Nov-2013


10

Public-Key Cryptography

06-Nov-2013


11

RSA
•
•
•
•
•

Choose two large primes p and q
n=p*q
φ(n)= (p-1)*(q-1)
Choose e, such that gcd(e, φ(n)) = 1
Compute d, such that d = e-1mod φ(n)
C = Me mod n
M= Cd mod n

06-Nov-2013


12

Discrete Logarithmic Problem
y = gx mod p
Challenge :
Given y, g and p (g and p very large) it is not
VERY EASY(impossible) to calcuate x.

06-Nov-2013


13

Diffie-Hellman Key Exchange
ga mod p
gb mod p

K = (gb mod p)a = gab mod p

06-Nov-2013

K = (ga mod p)b = gab mod p


14

El Gamal Encryption
•
•
•
•

K=gamodp. (p,g,K) public and (a) private
Choose r such that gcd(r,p-1)=1
C1= gr mod p
C2= (m*Kr) mod p... m is the message
Sends(C1, C2)
• To Decrypt C1-a*C2 mod p =m

06-Nov-2013


15

Elliptic Curve Cryptography
• Elliptic Curve (EC) systems as applied to
cryptography were first proposed in 1985
independently by Neal Koblitz and Victor
Miller.
• The discrete logarithm problem on elliptic
curve groups is believed to be more difficult
than the corresponding problem in (the
multiplicative group of nonzero elements of)
the underlying finite field.
06-Nov-2013


17

What Is Elliptic Curve Cryptography
(ECC)?
• Elliptic curve cryptography [ECC] is a public-key
cryptosystem just like RSA, Rabin, and El Gamal.
• Every user has a public and a private key.
– Public key is used for encryption/signature verification.
– Private key is used for decryption/signature generation.

• Elliptic curves are used as an extension to other
current cryptosystems.
06-Nov-2013


18

Using Elliptic Curves In Cryptography
• The central part of any cryptosystem involving elliptic
curves is the elliptic group.
• All public-key cryptosystems have some underlying
mathematical operation.
– RSA has exponentiation (raising the message or ciphertext
to the public or private values)
– ECC has point multiplication (repeated addition of two
points).
06-Nov-2013


19

General form of a EC
• An elliptic curve is a plane curve defined by an
equation of the form

y  x  ax  b
2

3

Examples

06-Nov-2013


20

EC as a group
An Elliptic Curve is a curve given by an equation
y2 = f(x)

Where f(x) is a square-free (no double roots) cubic or a quartic polynomial

y2 = x3 + ax + b
4a3 + 27b2 ≠ 0

EC(-3,2)

So y2 = x3 is not an elliptic curve, but y2 = x3-1 is

06-Nov-2013


21

Elliptical Curve as a Group - Properties
• P + Q = Q + P (commutativity)
• (P + Q) + R = P + (Q + R) (associativity)

• P + O = O + P = P (existence of an identity element)
• there exists ( − P) such that − P + P = P + ( − P)
= O (existence of inverses)

06-Nov-2013


22

Elliptic Curve Picture
y

• Consider elliptic curve
E: y 2 = x 3 - x + 1
P2

P1

x

R

06-Nov-2013

• If P 1 and P 2 are on E , we can
define
R = P1 + P2
as shown in picture
• Addition is all we need


23

Case 1 : R’ ≠P1, R’≠ P2, R’≠ 0
•
•
•
•
•
•
•

P1+P2 = -R’ = R
R = (x3,y3)
Let y=mx+c
m= (y2-y1)/(x2-x1)
y2 = (mx+c)2 = m2x2+2mxc+c2
x3+ax+b = m2x2+2mxc+c2
x3 - m2x2 + (a-2mc)x + (b- c2 ) = 0

06-Nov-2013


24

• (x-x1)(x-x2)(x-x3)=0
• x3-x2 (x1+x2+x3) + x (x1x2+x2x3+x3x1) – x1x2x3 = 0
• x3 = m2 –x1 –x2
• m= ((-y3)-y1)/(x3-x1)
• y3= -y1 +m(x1-x3)

06-Nov-2013


25

Case 2 : P1= -P2 or R’ = 0

P1

P2

06-Nov-2013


26

Case 3: R’=P1 or R’=P2
Tangent Line to EC at P2

R
P1

P2

06-Nov-2013


27

Case 4 : Doubling of Point P
Tangent Line to EC at P

R

P

2*P
06-Nov-2013


28

P1=P2
•
•
•
•
•

2y * dy/dx =3x2 + a
Slope of the tangent m = dy/dx = (3x2 + a)/2y
At (x1,y1) = (3x12 + a)/2y1
x3 = m2 –2x1
y3= -y1 +m(x1-x3)

06-Nov-2013


29

Work Out !
• EC(-1,1).
A(1,-1) B( 1/4, 7/8). A+B = ?
• m = (-1-7/8)/(1-1/4) = -5/2
• x3 = (-5/2)2 -1 -1/4 =5
• y3 = -(-1)+(-5)/2*(1-5) = 11
(5,11)

06-Nov-2013


30

Elliptic Curve over Prime Fields
• Points on the curve y2 =x3 +2x +4
0
(0,2) (0,11)
(2,4) (2,9)
(5,3) (5,10)
(7,6) (7,7)
(8,5) (8,8)
(9,6) (9,7)
(10,6) (10,7)
(12,1) (12,11)

06-Nov-2013


31

Hasse’s Theorem
p +1 -2√p ≤ #EC(Fp) ≤ p+1+2√p
Establishes the tight bounds on the number of
points on the EC

06-Nov-2013


32

Work Out!
• EC(2,4) over F13
• A = (2,4) B = (8,5) . Compute A+B
m = (5-4)/(8-2) mod 13 =11
x3 = (112 -2 -8) mod 13 = 7
y3 = (-4 +11*(2-7)) mod 13 = 6
A+B =(7,6)
• Compute 2A = (8,5)
06-Nov-2013


33

ECs Over Binary Fields
• y2+xy =x3 +ax2 +b, b!=0
• A=(x,y) : -A = (x,x+y)
• For adding two points
m= (y2+y1)/(x2+x1)
x3 = m2+m +x1 +x2 + a
y3 = m(x1+x3) +x3 +y1

• Point doubling
m = x1 +(y1/x1)
x3 = m2+m+a
y3 = x12 +(m+1)*x3
06-Nov-2013


34

Discrete Logarithm Problem on
Elliptic Curves
• The problem of computing k given the EC
parameters, G and kG, is called the discrete
log problem for points on an elliptic curve.
• This problem is known to be infeasible in EC
groups beyond 2120 elements

06-Nov-2013


35

Computing kG
• kG = G + G + ...+ G k times
• To compute 168G , compute the series obtained
by doubling the point,
2G, 4G, 8G, 16G, 32G,...

• Now 168 = 10101000 in binary
168G = 128G+32G+8G
O(log k)
06-Nov-2013


36

Diffie-Hellman Modified
• Select <p,a,b,G,n,h>
• Alice chooses x and send xG
• Bob chooses y and send yG

• Alice on receipt compute x(yG) =xyG
• Bob on receipt compute y(xG) = xyG
06-Nov-2013


37

El Gamal Modified
•
•
•
•
•
•

k= aG
Choose r; Compute rG
Compute m + rk
Send <rG, m + rk>
To decrypt a(rG) = rk
m + rk – rk = m

06-Nov-2013


38

Comparison of key sizes for same
level of security
ECC

RSA

• 110

• 512

• 163

• 1024

• 256

• 3072

• 384

• 7680

• 512

• 15360

06-Nov-2013


39

RSA vs ECC Timings
• To encrypt ECC takes nearly 10 times of that
of RSA upto a key size of 384(ECC) and
7680(RSA).
• For Decryption RSA takes more time for a key
size higher than 1024 when compared to ECC
(163)

06-Nov-2013


40

Applications of ECC
• Many devices are small and have limited storage and
computational power
• Where can we apply ECC?
–
–
–
–

Wireless communication devices
Smart cards
Web servers that need to handle many encryption sessions
Any application where security is needed but lacks the
power, storage and computational power that is
necessary for our current cryptosystems

06-Nov-2013


41

A Conference on ECC
• ECC 2013:
https://www.cosic.esat.kuleuven.be/ecc2013

06-Nov-2013


42

Zero Knowledge Proofs (ZKP)
• Goldwasser, Micali, and Rackoff, 1985.
• ZKP instance of Interactive Proof System
• Interactive Proof Systems
– Challenge-Response Authentication
– Prover and Verifier
– Verifier Accepts or Rejects the Prover

06-Nov-2013


44

ZKP
• Zero knowledge Transfer between the Prover and
the Verifier
• The verifier accepts or rejects the proof after
multiple challenges and responses
• Probabilistic Proof Protocol
• Overcomes Problems with Password Based
Authentication

06-Nov-2013


45

Zero Knowledge Proofs
•
•
•
•
•
•

Introduction
Properties of ZKP
Advantages of ZKP
Examples
Fiat-Shamir Identification Protocol
Real-Time Applications

06-Nov-2013


46

Zero Knowledge Proofs

(ZKP)

• Goldwasser, Micali, and Rackoff, 1985.
• ZKP instance of Interactive Proof System
• Interactive Proof Systems
– Challenge-Response Authentication
– Prover and Verifier
– Verifier Accepts or Rejects the Prover

06-Nov-2013


47

Properties of ZKP
• Completeness
– Succeeds with high probability for a true assertion
given an honest verifier and an honest prover.
• Soundness
– Fails for any other false assertion, given a
dishonest prover and an honest verifier
• Zero Knowledge
06-Nov-2013


48

Advantages of ZKP
•
•
•
•

As name Suggests – Zero Knowledge Transfer
Computational Efficiency – No Encryption
No Degradation of the protocol
Based on problems like discrete logarithms and
integer factorization

06-Nov-2013


49

Classic Example
• Ali Baba’s Cave
Alice has to convince Bob She knows the secret to
open the cave door without telling the secret

(source: http://www.rsasecurity.com/rsalabs/faq/2-1-8.html)

06-Nov-2013


50

Fiat-Shamir Identification Protocol
• 3 Message Protocol
• Alice A, the Prover and Bob B, the Verifier
A random modulus n, product of two large prime numbers p
and q generated by a trusted party and made public
• Prover chooses secret s relatively prime to n
• prover computes v = s2 mod n, where v is the public key
A  B
A  B
A  B

06-Nov-2013

: x = r2 mod n
: e  { 0,1}
: y = r * se mod n. Is y2 = x * ve ?


51

Fiat-Shamir Identification Protocol (contd)
• Alice chooses a random number r (1  r  n-1)
• Sends to Bob x = r2 mod n – commitment
• Bob randomly sends either a 0 or a 1 ( e  { 0,1}) as
his challenge
• Depending on the challenge from Bob, Alice
computes the response as y = r if e = 0 or otherwise y
= r*s mod n
• Bob accepts the response upon checking y2  x * ve
mod n

06-Nov-2013


52

Fiat-Shamir Identification Protocol (contd)
• After many iterations, with a very high probability Bob can verify
Alice’s identity
• Alice’s response does not reveal the secret s (with y = r or y = r* s mod
n)
• An intruder can prove Alice’s identity without knowing the secret, if
he knows Bob’s challenge in advance:
– Generate random r
– If expected challenge is 1, send x = r2/v mod n as commitment,
and y = r as response
– If expected challenge is 0, send x = r mod n as commitment
• Probability that any Intruder impersonating the prover can send the
right response is only ½
• Probability reduced as iterations are increased
• Important - Alice should not repeat r
06-Nov-2013


53

Applications
• Watermark Verification
– Show the presence of watermark without
revealing information about it
– prevents from removing the watermark and
reselling multiple duplicate copies
• Others – e-voting, e-cash etc.

06-Nov-2013


54

References
• Network Security and Cryptography, Bernard Menezes
• I. Blake, G. Seroussi, and N. Smart, Elliptic Curves in Cryptography, London
Mathematical Society 265, Cambridge University Press, 1999
• Overview of Zero-Knowledge Protocols, Jeffrey Knapp
• http://en.wikipedia.org/wiki/Elliptic_curve_cryptography as on November
4, 2013
• Koblitz, N. (1987). "Elliptic curve cryptosystems". Mathematics of
Computation 48 (177): 203–209. JSTOR 2007884
• Menezes, A.; Okamoto, T.; Vanstone, S. A. (1993). "Reducing elliptic curve
logarithms to logarithms in a finite field". IEEE Transactions on Information
Theory 39
• K. Malhotra, S. Gardner, and R. Patz, Implementation of Elliptic-Curve
Cryptography on Mobile Healthcare Devices, Networking, Sensing and
Control, 2007 IEEE International Conference on, London, 15–17 April 2007
Page(s):239–244

06-Nov-2013


55

References
• D. Hankerson, A. Menezes, and S.A. Vanstone, Guide to Elliptic Curve
Cryptography, Springer-Verlag, 2004
• http://en.wikipedia.org/wiki/Zero-knowledge_proof as on November 4,
2013
• Stinson, Douglas Robert (2006), Cryptography: Theory and Practice (3rd
ed.), London: CRC Press, ISBN 978-1-58488-508-5
• Agrawal, Manindra; Kayal, Neeraj; Saxena, Nitin (2004). "PRIMES is in P".
Annals of Mathematics 160 (2): 781–793.
• Theory of Computing Course, Cornell University 2009, Zero knowledge
proofs
• A Survey of Zero-Knowledge Proofs with Applications to Cryptography,
Austin Mohr Southern Illinois University at Carbondale

06-Nov-2013


56

Elliptic Curve Cryptography and Zero Knowledge Proof

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Elliptic Curve Cryptography and Zero Knowledge Proof

Similar to Elliptic Curve Cryptography and Zero Knowledge Proof (20)

Recently uploaded

Recently uploaded (20)

Elliptic Curve Cryptography and Zero Knowledge Proof