Elliptic Curves: Understanding Discrete Logarithm Problem and Group Operation, Study notes of Advanced Computer Architecture

Download Elliptic Curves: Understanding Discrete Logarithm Problem and Group Operation and more Study notes Advanced Computer Architecture in PDF only on Docsity! ECC: Fundamentals Discrete Logarithm Problem (DLP) Consider a cyclic group G and elements p, q ∈ G. Given q = l · p if G is written additively, or q = pl if G is written multiplicatively, l is called the Discrete Logarithm (DL) of q to the base p in G (written l = logp q); the corresponding Discrete Logarithm Problem (DLP) is to find l . I Question: which G do we select so that 1. the group is secure (i.e., a DLP in said group is hard), and 2. representation of, and computation with, group elements is efficient. I Answer: an elliptic curve group ! Dan Page COMSM2004/COMS30124 Slide 1 General Elliptic Curves (1) I An elliptic curve E over the field K is defined by the general (or “long”) Weierstraß equation, for ai ∈ K E : y2 + a1xy + a3y = x3 + a2x2 + a4x + a6. I The K -rational set of points on such an E is E(K ) : n (x , y) ∈ K 2 : x , y ∈ K , y2 + a1xy + a3y = x3 + a2x2 + a4x + a6 o ∪{OE} i.e., the set of points that satisfy the curve equation plus an extra point at infinity (that lies infinitely far up the y -axis). Dan Page COMSM2004/COMS30124 Slide 2 General Elliptic Curves (4) Example I Consider E(R) for a1 = 0, a2 = 0, a3 = 0, a4 = −1, a6 = 0 ... I ... ∆ = 64, j(E) = 1728: -2 -1.5 -1 -0.5 0 0.5 1 1.5 2 -2 -1.5 -1 -0.5 0 0.5 1 1.5 2 Example I Consider E(R) for a1 = 0, a2 = 0, a3 = 0, a4 = 1, a6 = 0 ... I ... ∆ = −64, j(E) = 1728: -2 -1.5 -1 -0.5 0 0.5 1 1.5 2 -2 -1.5 -1 -0.5 0 0.5 1 1.5 2 Dan Page COMSM2004/COMS30124 Slide 5 General Elliptic Curves (5) Example I Consider E(R) for a1 = 0, a2 = 0, a3 = 0, a4 = −1, a6 = 1 ... I ... ∆ = −368, j(E) = −6912/23: -2 -1.5 -1 -0.5 0 0.5 1 1.5 2 -2 -1.5 -1 -0.5 0 0.5 1 1.5 2 Example I Consider E(R) for a1 = 0, a2 = 0, a3 = 0, a4 = 0, a6 = 0 ... I ... ∆ = 0: -2 -1.5 -1 -0.5 0 0.5 1 1.5 2 -2 -1.5 -1 -0.5 0 0.5 1 1.5 2 Dan Page COMSM2004/COMS30124 Slide 6 General Elliptic Curves (6) I We’d like to construct a group to work with; this means we need 1. A set of group elements; these will be the set of K -rational points on some elliptic curve E . 2. A group operation ⊕E that operates as required, i.e., is associative, commutative and so on. 3. An identity element wrt. ⊕E ; this will be the point at infinity OE . I The elliptic curve group law allows us to define ⊕E ; for P1, P2, R ∈ E(K ) P1 ⊕E P2 ⊕E R = OE holds iff. P1, P2 and R lie on a straight line ... I ... this is a direct result of the form of curve we’ve selected. Dan Page COMSM2004/COMS30124 Slide 7 General Elliptic Curves (9) Affine Point Negation P1 - P1 I For P1 = (x1, y1), P3 = (x3, y3) = −P1 is computed via x3 = x1 y3 = −y1 − a1x1 − a3 Dan Page COMSM2004/COMS30124 Slide 10 General Elliptic Curves (10) Affine Point Addition P1 P2 R P1 + P2 I For P1 = (x1, y1) and P2 = (x2, y2), let λ = y2−y1 x2−x1 µ = y1x2−y2x1 x2−x1 I P3 = (x3, y3) = P1 + P2, is computed via x3 = λ 2 + a1λ− a2 − x1 − x2 y3 = −(λ + a1)x3 − µ− a3 Dan Page COMSM2004/COMS30124 Slide 11 General Elliptic Curves (11) Affine Point Doubling P1 R P1 + P1 I For P1 = (x1, y1), let λ = 3x21 +2a2x1+a4−a1y1 2y1+a1x1+a3 µ = −x31 +a4x1+2a6−a3y1 2y1+a1x1+a3 I P3 = (x3, y3) = P1 + P1, is computed via x3 = λ 2 + a1λ− a2 − x1 − x2 y3 = −(λ + a1)x3 − µ− a3 Dan Page COMSM2004/COMS30124 Slide 12 Elliptic Curves over Fq (2) Example I Consider E(F7) for a1 = 0, a2 = 0, a3 = 0, a4 = 1, a6 = 3 ... I ... ∆ = 3, j(E) = 5: 0 1 2 3 4 5 6 0 1 2 3 4 5 6 Example I Consider E(F43) for a1 = 0, a2 = 0, a3 = 0, a4 = 1, a6 = 3 ... I ... ∆ = 4, j(E) = 1: 0 5 10 15 20 25 30 35 40 45 0 5 10 15 20 25 30 35 40 45 Dan Page COMSM2004/COMS30124 Slide 15 Elliptic Curves over Fq (3) I For q = p, i.e., using elliptic curves over Fp, we can specialise the Weierstraß equation to E : y2 = x3 + a4x + a6. I To compute P3 = (x3, y3) = −P1 given P1 = (x1, y1), we simply set x3 = x1 y3 = −y1 I To compute P3 = (x3, y3) = P1 + P2 given P1 = (x1, y1) and P2 = (x2, y2), we first set λ = y2 − y1 x2 − x1 when x1 6= x2 (i.e., we are doing addition), and λ = 3x21 + a4 2y1 when x1 = x2 and y1 6= 0 (i.e., we are doing doubling), then set x3 = λ2 − x1 − x2 y3 = λ(x1 − x3)− y1 Dan Page COMSM2004/COMS30124 Slide 16 Elliptic Curves over Fq (4) I For q = 2n, i.e., using elliptic curves over F2n , we can specialise the Weierstraß equation to E : y2 + xy = x3 + a2x2 + a6. I To compute P3 = (x3, y3) = −P1 given P1 = (x1, y1), we simply set x3 = x1 y3 = y1 + x1 I To compute P3 = (x3, y3) = P1 + P2 given P1 = (x1, y1) and P2 = (x2, y2), we first set λ = y2 + y1 x2 + x1 when x1 6= x2 (i.e., we are doing addition), and λ = x21 + y1 x1 when x1 = x2 and y1 6= 0 (i.e., we are doing doubling), then set x3 = λ2 + λ + a2 + x1 + x2 y3 = λ(x1 + x3) + x3 + y1 Dan Page COMSM2004/COMS30124 Slide 17 Elliptic Curves over Fq (7) I In cryptographic schemes, we are often required to generate a random point; focusing on E(Fp) for example, there are (at least) two options: 1. Select an x , then solve the curve equation ... 1.1 Select a random x . 1.2 If there is a solution to y2 = x3 + a4x + a6, that solution gives a random point P = (x, y) ∈ E(Fp). 1.3 If there is no solution, go back to step 1.1. 1.4 If E has a cofactor, compute P′ = hP to get a point in the right subgroup. ... note that this approach allows some extra capabilities: 1.1 We can “hash” some message M into a point by setting x = HASH(M) for a suitable hash function. 1.2 If we need to communicate some point P = (x, y), we can just communicate x plus a 1-bit flag that tells us which root of x3 + a4x + a6 to select as y ; this is called point compression. 2. Often, part of the public domain parameters is a fixed generator G ∈ E(Fp) which is already a valid point; just select a random r ∈ Z and compute P = r · G. Dan Page COMSM2004/COMS30124 Slide 20 Elliptic Curves over Fq (8) Example Let K = F7, and consider E(K ) for a1 = 0, a2 = 0, a3 = 0, a4 = 1, a6 = 3 where we can compute |E(K )| = 6 and E(K ) = {O, (4, 1), (4, 6), (5, 0), (6, 1), (6, 6)} . If P1 = (x1, y1) = (4, 1) and P2 = (x2, y2) = (5, 0) then P3 = (x3, y3) = P1 + P2 is given by λ = y2−y1 x2−x1 = 0−15−4 = 6 (mod 7) x3 = λ 2 − x2 − x1 = 62 − 4− 5 = 6 (mod 7) y3 = λ(x1 − x3)− y1 = 6 · (4− 6)− 1 = 1 (mod 7) and in fact we can describe the entire group operation as O (4, 1) (4, 6) (5, 0) (6, 1) (6, 6) O O (4, 1) (4, 6) (5, 0) (6, 1) (6, 6) (4, 1) (4, 1) (6, 6) O (6, 1) (4, 6) (5, 0) (4, 6) (4, 6) O (4, 1) (6, 6) (5, 0) (4, 1) (5, 0) (5, 0) (6, 1) (6, 6) O (4, 1) (4, 6) (6, 1) (6, 1) (4, 6) (5, 0) (4, 1) (6, 6) O (6, 6) (6, 6) (5, 0) (4, 1) (4, 6) O (6, 1) Dan Page COMSM2004/COMS30124 Slide 21 Elliptic Curves over Fq (9) Example Let K = F23 [X ]/X 2 + X + 1, and consider E(K ) for a1 = 0, a2 = 0, a3 = 0, a4 = 0, a6 = 1 where we can compute |E(K )| = 8 and E(K ) = n O, (1, 0), (1, 1), (X , 0), (X , X), (X2, 0), (X2, X2), (0, 1) o . If P1 = (x1, y1) = (X , 0) and P2 = (x2, y2) = (X 2, X2) then P3 = (x3, y3) = P1 + P2 is given by λ = y2−y1 x2−x1 = X 2−0 X2−X = X2 (mod X2 + X + 1) x3 = λ 2 + λ + a2 + x1 + x2 = (X 2)2 + X2 + 0 + X + X2 = 0 (mod X2 + X + 1) y3 = λ(x1 + x3) + x3 + y1 = X 2 · (X + 0) + 0 + 0 = 1 (mod X2 + X + 1) and in fact we can describe the entire group operation as O (1, 0) (1, 1) (X , 0) (X , X) (X2, 0) (X2, X2) (0, 1) O O (1, 0) (1, 1) (X , 0) (X , X) (X2, 0) (X2, X2) (0, 1) (1, 0) (1, 0) (0, 1) O (X2, X2) (X , 0) (X , X) (X2, 0) (1, 1) (1, 1) (1, 1) O (0, 1) (X , X) (X2, 0) (X2, X2) (X , 0) (1, 0) (X , 0) (X , 0) (X2, X2) (X , X) (1, 0) O (1, 1) (0, 1) (X2, 0) (X , X) (X , X) (X , 0) (X2, 0) O (1, 1) (0, 1) (1, 0) (X2, X2) (X2, 0) (X2, 0) (X , X) (X2, X2) (1, 1) (0, 1) (1, 0) O (X , 0) (X2, X2) (X2, X2) (X2, 0) (X , 0) (0, 1) (1, 0) O (1, 1) (X , X) (0, 1) (0, 1) (1, 1) (1, 0) (X2, 0) (X2, X2) (X , 0) (X , X) O Dan Page COMSM2004/COMS30124 Slide 22 Improving the Group Operation on E(Fq) (2) I Informally, what we have done so far is work with “2D” points on affine plane represented by the set K 2 (i.e., x and y ) ... I ... one can also imagine “3D” points in projective space represented by the set K 3 (i.e., x , y and z): I Let K be a field, and both c and d be positive integers; one can define an equivalence relation ∼ on the set K 3 \ {(0, 0, 0)} by (x1, y1, z1) ∼ (x2, y2, z2) iff. x1 = λcx2, y1 = λd y2, and z1 = λz2 for some λ ∈ K∗. I The equivalence class containing (x , y , z) is (x : y : z) = {(λcx , λd y , λz : λ ∈ K∗}. where (x , y , z) is a projective point, which in turn is a representative of (x : y : z). I Clearly, the implication is that many projective points can act as representatives for a given affine point: if they are in the same equivalence class, they can be considered equal. Dan Page COMSM2004/COMS30124 Slide 25 Improving the Group Operation on E(Fq) (3) Example The so-called standard projective representation for points on E(Fp) sets c = 1 and d = 1, then alters the Weierstraß equation to read E : y2z = x3 + a4xz 2 + a6z 3 . This means the K -rational set of points on E is now E(K ) : n (x, y, z) ∈ K 3 : x, y, z ∈ K , y2z = x3 + a4xz 2 + a6z 3 o ∪ {OE} withO = (0, 1, 0). Example The so-called Jacobian projective representation for points on E(Fp) sets c = 2 and d = 3, then alters the Weierstraß equation to read E : y2 = x3 + a4xz 4 + a6z 6 . This means the K -rational set of points on E is now E(K ) : n (x, y, z) ∈ K 3 : x, y, z ∈ K , y2 = x3 + a4xz 4 + a6z 6 o ∪ {OE} withO = (0, 1, 0). Dan Page COMSM2004/COMS30124 Slide 26 Improving the Group Operation on E(Fq) (4) Jacobian Point Addition (add-2001-b from EFD) λ1 ← z21 1SFp λ13 ← λ5 · λ11 1MFp λ2 ← z1 · λ1 1MFp λ14 ← z1 · z2 1MFp λ3 ← z22 1SFp λ15 ← λ13 + λ13 1AFp λ4 ← z2 · λ3 1MFp λ16 ← λ15 + λ12 1AFp λ5 ← x1 · λ3 1MFp λ17 ← λ 2 10 1SFp λ6 ← x2 · λ1 1MFp x3 ← λ17 − λ16 1AFp λ7 ← λ6 − λ5 1AFp z3 ← λ7 · λ14 1MFp λ8 ← y1 · λ4 1MFp λ18 ← λ13 − x3 1AFp λ9 ← y2 · λ2 1MFp λ19 ← λ10 · λ18 1MFp λ10 ← λ9 − λ8 1AFp λ20 ← λ8 · λ12 1MFp λ11 ← λ27 1SFp y3 ← λ19 − λ20 1AFp λ12 ← λ7 · λ11 1MFp 7AFp + 4SFp + 12MFp Dan Page COMSM2004/COMS30124 Slide 27 Improving the Group Operation on E(Fq) (7) I Some things to note: 1. Since AFp is typically low, a point subtraction is essentially the same cost as a point addition. 2. Conversion costs apply: I Affine to projective costs 1SFp + 3MFp (+ cost of generating a random z). I Projective to affine costs 1SFp + 3MFp + 1IFp . 3. We can specialise a Jacobian projective point addition for the case where z2 = 1; this eliminates 1SFp + 5MFp and yields a mixed addition: P1 is projective, but P2 is affine. 4. It might not be obvious, but in performing a Jacobian projective point doubling, we calculate 3x21 + z 4 1 a4. By selecting a4 = −3, we can calculate this term as 3(x1 − z21 )(x1 + z 2 1 ) which is saves 2SFp ; in theory this reduces the number of curves we can select (i.e., only those with a4 = −3), but this doesn’t matter in practice. 5. With E(F2n ), it is common to try to maximise the number of squarings; this is because SF2n is typically very low. Dan Page COMSM2004/COMS30124 Slide 30 Conclusions Dan Page COMSM2004/COMS30124 Slide 31 Further Reading I D. Hankerson, A. Menezes and S. Vanstone. Guide to Elliptic Curve Cryptography. Springer-Verlag, 2003. ISBN: 0-387-95273-X. I Chapter 3.1 – Elliptic Curve Arithmetic: Introduction to Elliptic Curves I Chapter 3.2 – Elliptic Curve Arithmetic: Point Representation and the Group Law I I. Blake, G. Seroussi and N.P. Smart. Elliptic Curves in Cryptography. Cambridge University Press, 1999. ISBN: 0-521-65374-6. I Chapter 3 – Arithmetic on an Elliptic Curve I D.J. Bernstein and T. Lange. Explicit-Formulas Database (EFD). http://www.hyperelliptic.org/EFD/ Dan Page COMSM2004/COMS30124 Slide 32