Title: Elliptic Curve Cryptography Generation and Validation of Domain Parameters in Binary Galois Fields
1Elliptic Curve CryptographyGeneration and
Validation of Domain Parameters in Binary Galois
Fields
- Peter Wozny
- Rochester Institute of Technology
- M.S. Thesis Presentation
- August 15, 2008
2Agenda
- Problem Statement
- Fundamentals of Elliptic Curves
- Federal Standards
- Generating Parameters in GF(2m)
- Validation of Parameters Security
Considerations - Testing Analysis
- Results Future Work
- Questions
- References
3Problem Statement
- Federal standards for Elliptic Curve parameters
are confusing to understand. - How are these parameters generated?
- Why are there only 5 sets of parameters defined
for binary Galois fields, and 5 sets for Koblitz
curves? - What are the criteria for secure parameters?
- Are there other useful parameters that meet the
necessary criteria? - With several published documents, what is the
real standard?
4Fundamentals of Elliptic Curves
- Weierstrass Equation
- y2 a1xy a3y x3 a2x2 a4x a6
- Prime fields, binary fields, and optimal
extension fields. - Elliptic curves can include complex numbers
5Elliptic Curve Cryptography
- ECC is competing with RSA as public key
cryptosystem - Elliptic Curves are based on cubic equations
- ECC makes use of elliptic curves in which the
variables and coefficients are elements of a
finite field - Two federally approved groups are
- ECC over Prime Fields ( GF (p) )
- ECC over Binary Fields ( GF (2m) )
- Includes Koblitz Curves
6Federally Approved Curves
- ECC over Prime Fields ( GF (p) )
- y2 x3 - 3x b (as per to NIST FIPS 186-2)
- y2 x3 ax b (as per to ANSI X9.63-2005)
- ECC over Binary Fields ( GF (2m) )
- y2 xy x3 ax2 b
- Koblitz curves have the form
- y2 x y x 3 ax2 1 where a 0 or 1
7Mathematic of Elliptic Curves GF(2m)
- Recalling y2 a1xy a3y x3 a2x2 a4x
a6 - And for non-supersingular curves a1 1, a2 A,
a3 0, a4 0, a6 B - y2 xy x3 ax2 b
- P ? P where ? is the infinity point
- If P (xP, yP), then (xP, yP) (xP, - a1 xP -
a3 - yP) ? . - -P (xP, - a1 x - a3 - yP), or (xP, - xP - yP)
-
- If P (xP, yP) and Q (xQ, yQ) with P ? -Q and
P ? Q, then - R -R (xR, yR)
- Point Doubling P (x0, y0) P (x1, y1)
8Points on an Elliptic Curve(Example of Points
in Prime Field)
Points for y2 x3 1x 7 (mod 139)
9Points on a Toroid(Same points plotted on a
toroid)
Toroid of Points for y2 x3 1x 7 (mod 139)
10Different Bases
- Polynomial Basis
- Interprets each element of a binary Galois field
as though it were a binary polynomial. - Represented as binary numbers, and each bit is
the coefficient of a polynomial equation - Specified by an irreducible polynomial f(x)
modulo 2 - Field arithmetic is implemented as polynomial
arithmetic mod f(x) - Irreducible polynomials are either trinomials or
pentanomials - Normal Basis
- Normal basis elements are represented a little
differently - Advantage in implementation of squaring
- Mathematical functions are applied efficiently
11Basis Conversion
- Normal basis to Polynomial basis as follows
- where ?1 is constructed by a series of
squaring and reduction algorithms. -
12Basis Conversion
- Polynomial basis to Normal basis as follows
- where ?2 is constructed by a series of
squaring and reduction algorithms. -
13Conversion Example
- Given a conversion matrix, ?,
- (1001) ? (0100)
- For Elliptic Curves,
- bit-strings gt160
- Conversion Matrix is created by squaring rows,
take the row with a irreducible polynomial
modulus, and also utilizing the root of the
irreducible polynomial.
14Elliptic Curve Cryptography
- ECC is a public key cryptosystem with several
advantages - Smaller domain parameters than RSA
- Less computer overhead (processing and memory)
- More secure than RSA for equal size keys
15What are the Domain Parameters in GF(2m)
- E The elliptic curve y2 xy x3 ax2 b
- m field size and power or the leading x of the
irreducible polynomial - f(x) irreducible polynomial modulus
- a coefficient for the elliptic curve equation
- b coefficient for the elliptic curve equation
- P (xp, yp), a point on the elliptic curve
- n the order of the point, P
- h the cofactor, such that h E(f(2m) )/ n
- h ? 2, 4
- s seed for the hash function for random
parameter generation
16How to get Domain Parameters
Domain Parameters
U.S. Federal International Standards
Verifiably Random Parameter Generation
Specific algorithms defined in standards
for generating parameters and validating the
domain parameters, as well as verifying
randomness of the elliptic curve
Parameters that have been computed and published
in standards for various security levels, for
ease of use without the need of the generation
validation process
OR
17Standards for Domain Parameters
- U.S. federally published standards are available
from - ANSI X9.62 2005
- NIST FIPS 186-2 (Jan. 2000)
- IEEE - 1363 (2000, amendment 2004)
- Certicoms documentation SEC-1, SEC-2 (Sept.
2000) - European Standards
- ISO 14888-3, 15946
- Recommendation from NESSIE
- New European Schemes for Signatures,
Identification and Encryption project of the
EU, similar to AES competition - Internet Engineering Task Force PKIX, IPSEC,
S/MIME, TLS - With several standardswhat is standard?
18Comparison of the U.S. Standards
- NIST National Institute of Standards and
Technology - 5 sets of parameters for prime fields
- 5 sets of parameters for binary Galois fields
- 5 sets of parameters for Koblitz curves
- Prime Field Curve
- 192, 224, 256, 384, 521 bit size standards
- 160 additional in ANSI
- 112, 128, 160 additional in IEEE
- Binary Field Curve
- 163, 233, 283, 409, 571 bit size standards
- 193, 239 additional in ANSI
- 113, 131, 239 additional in IEEE
- Koblitz Curves in 2m
- 163, 233, 283, 409, 571 bit size standards
- Some of these offer multiple sets in ANSI and
IEEE standards
19Comparison of the U.S. Standards
- SECG Secure Efficient Cryptography Group
- The standards are consolidated in this document
- 15 sets of parameters for prime fields
- 12 sets of parameters for binary Galois fields
- 6 sets of parameters for Koblitz curves
- Prime Field Curve (including Koblitz sets in
GF(p)) - 112, 128, 160, 192, 224, 256, 384, 521 bit size
standards - Binary Field Curve
- 113, 131, 163, 193, 233, 239, 283, 409, 571 bit
size standards - Koblitz Curve in 2m
- 163, 233, 239, 283, 409, 571 bit size standards
20Reason for 5 Standards Sets
Size is more than twice the symmetric cipher key
length.
Values also yield Koblitz curve base point
orders.
21NIST Parameters for GF(2163)
- Binary Field (2163)
- m163
- a1 NIST standard sets the EC value for a 1
- h2
- f(x) x163 x7 x6 x3 1
- s 0x 85e25bfe 5c86226c db12016f 7553f9d0
e693a268 - n 58460065493236116728147424428763906892568432
01587 - Polynomial Basis
- b 00000002 0a601907 b8c953ca 1481eb10
512f7874 4a3205fd - xP 00000003 f0eba162 86a2d57e a0991168
d4994637 e8343e36 - yP 00000000 d51fbc6c 71a0094f a2cdd545
b11c5c0c 797324f1 - Normal Basis
- b 00000006 645f3cac f1638e13 9c6cd13e f61734fb
c9e3d9fb - xP 00000000 311103c1 7167564a ce77ccb0 9c681f88
6ba54ee8 - yP 00000003 33ac13c6 447f2e67 613bf700 9daf98c8
7bb50c7f
22Generating Random Parameters
- Input Parameters security level, maximum
cofactor, trial division bound (Imax ), seed, and
MOV threshold
Generate Curve Coefficients y2 xy x3 ax2 b
Determine Basis (Normal or Polynomial)
Compute Order (Cofactor, seed, )
Generate a Base Point (Cofactor, seed, order)
23Generating Random Elliptic Curve
24Hash Functions
- Current standards (FIPS 180-2)
- SHA-1, SHA-256, SHA-384, SHA-512
- SHA-1
- Will be replaced by 2010
- Has collisions
- FIPS 180-3
- Has not been released by NIST
- It includes SHA-224, SHA-256, SHA-384, SHA-512
- It is a files fingerprint
25Hash Functions
Parsed Message (Block size)
Hash function performs Bitwise modifications In
order to reduce the Size of the output
Smaller Representation of the Block of
Data (Message Digest Size)
26Generation Algorithms
- For randomly verifiable parameters
- SHA 1 is denoted as the Standard Hash algorithm
used - The Point-Counting algorithms used in binary
fields are - Schoof, Elkies, Atkins Algorithm
- AGM Arithmetic Geometric Mean
- SST Satoh, Skjernaa, Taguchi algorithm
- MSST Modified Satoh, Skjernaa, Taguchi
algorithm - Base Point Order for Koblitz Curves
- Implementation similar to a Lucas Sequence
- Ln Ln-1 Ln-2
27Generating Base Point
28Fast Reduction
Fast Reduction algorithms convert data to the 5
NIST standard fields
Reduction in non-standard fields can be performed
using a bit-by-bit reduction. (More time
consuming)
29Validation Process
- The parameters need to be validated
- ( Show they satisfy the arithmetic requirements
) - To prevent malicious insertion of insecure
parameters - To detect inadvertent coding or transmission
errors - The standards provide algorithms for validating
the domain parameters for both prime and binary
fields. - The criteria are on the following charts.
30Criteria for Domain Parameters
- The validation of the elliptic curve has four
criteria for binary Galois fields - The field must be of the form F(2m), where m
prime. - The coefficients of the curve, a and b, when
converted to binary must have a bit-length of m
bits. - The value of b ? 0.
- The seed used to generate the curve must match
the seed provided. - Validation of a base point has some additional
constraints 22. - The base point, P, is not the infinity point.
- G hP, where P (xP , yP), and h is the
cofactor. - P (xP , yP), and each component has bit-length
equal to m. - (xP , yP) must satisfy the associated elliptic
curve equation. - nP ?.
- If G is not a valid base point then increment
base and go back to Step 2 in the base-point
generation algorithm, unless base gt 10h2, in
which case, output "Failure". - If P is generated randomly, utilize the
parameters (h, n, seed) to recreate the base
point, and compare with the value received.
These values should match. - Verify that the MOV and Anomalous conditions are
met.
31Necessary Conditions for Secure EC
- According to (ANSI x9.62-2005)
- MOV Condition
- Anomalous Condition
32MOV Condition
- MOV Condition named after Menezes, Okamoto,
Vanderstone - Ensures that the elliptic curve is not vulnerable
to reduction attacks - Reduction Attack of MOV
- Reducing a DL problem in Fq to FqB where B 1
- B is the MOV threshold
- In the ANSI standard, B 100
- Not a problem with degree of the field gt160
33Anomalous Condition
- The anomalous condition is achieved when the
number of points on an elliptic curve, in a
designated field does not equal the size of the
binary field. - E(F(2m))? 2m
34Testing Performed
- Re-creating the Standard Elliptic Curves given
NIST parameters - Examining the results of the implementation
- Confirming the basis
- AES Algorithm (www.shamus.ie)
- Generating a Randomly Verifiable Elliptic Curve
- Computing the order of a known Koblitz Curves
- Computing the order of Koblitz Curve Base points
beyond m571 so as to determine other useful
degrees
35Randomly Verifiable Test Case
- A prime number degree chosen that was not a NIST
standard - Binary Field (2311)
- m311
- a1
- f(z) z311 z7 z5 z3 1
- Generating a PRN for the seed
- Seed FA7D88A5 39D62746 D6652416 44617B3C
16030324
36Random EC Curve Coefficients
- Seed FA7D88A5 39D62746 D6652416 44617B3C
16030324 - Hash a2c087c3 91766f31 86287017 ed2aa5a0
743d6c8e - eVal 92915007465859522547452759315694652074166
8285582 - Normal Basis
- a 1
- b 004087c3 91766f31 86287017 ed2aa5a0
743d6c8e - a5408fd0 e4685d67 48182e94 09c07c76
cf66484c - b length 311
37Computing Useful Orders
Implementation of Theorem 4.12 and Lemma 4.13
allows for computing the number of points on an
elliptic curve quickly. Thereby computing the
order of the base point.
38Steps in Computing Order
- The points on E y2 xy x3 ax2 1
- in F(2) are as follows for the condition that a
0, or a 1. - E(F(2)) (?, ?), (0, 0), (0 , 1), (1, 0),
(1, 1)
39Steps in Computing Order
For NIST, a 1 and b is computed from the
verifiably random EC.
40Steps in Computing Order
41Order of Koblitz Base Point(Beyond m571)
h ? n E(F(2m))
42Additional Degree Fields
- The degree of Koblitz curves and elliptic curves
for Binary Galois Fields are the same. Therefore - other degrees, less than 3000, that would be
suitable are - 701, 1153, 1249, 1597, 1621, 1913,
- 2063, 2221, 2437, 2647, and 2909
- Fast reduction algorithms must be developed
beyond 1140, or bit-by-bit reduction can be used
43Synopsis of Criteria
- Pseudo-Random Seed bit-length equal to the degree
of the field - For NIST requirement, a 1, and b ? 0 having
bit-length equal to the degree of the field. - Hash algorithm must have a security level greater
than or equal to the security level of the
elliptic curve field degree. SHA-1 hash function
should be eliminated as a standard, and replaced
with the SHA-256 function defined in FIPS 180-2
until the new SHS is determined and released. - Computing the necessary orders should be
performed using the most efficient algorithms
available, such as SST, AGM, or MSST. However,
the method used for Koblitz curves is beneficial
to select other field degrees. - Conversion algorithms and fast reduction
algorithms should be readily computable for any
field size, not just specific to the standards.
44Future Work
- Implementation of the MSST algorithm for any
Galois field - Test the SHA-3 Hash functions as they become
available - Development of a stand-alone tool with a GUI for
implementation of Federal standards as well as
randomly-verifiable elliptic curves for use in
academia and commercially - Examining fast-reduction algorithms for other
non-standard degrees - Lastly, recommendation to NIST, IEEE, and ANSI
concerning the termination of using SHA-1 until a
new hash standard becomes available and
supersedes SHA-1
45Thank you
46References
47References (Books)
- 1 Hankerson, Darrel, and Alfred Menezes, and
Scott Vanstone. Guide to Elliptic Curve
Cryptography, Springer-Verlag, New York 2004. - 2 Menezes, Alfred J., Paul C. van Oorschot and
Scott A. Vanstone. Handbook of Applied
Cryptography, CRC Press. 1996. - 3 Schneier, Bruce. Applied Cryptography
Protocols, Algorithms, and Source Code in C,
Second Edition. John Wiley Sons, 1996 - 4 Stallings, William. Cryptography and Network
Security. 4th ed. Upper Saddle River Pearson
Prentice Hall, 2006. - 5 Trappe, Wade, and Lawrence C .Washington.
Introduction to Cryptography with Coding Theory.
2nd ed. Upper Saddle River Pearson Prentice
Hall, 2006. - 6 Washington, Lawrence C. Elliptic Curves
Number Theory and Cryptography. Chapman
Hall/CRC, 2003. - 7 Yan, Song Y. Primality Testing and Integer
Factorization in Public-Key Cryptography. Kluwer
Academic Publishers, 2004. - 8 Zwillinger, Daniel. CRC Standard Mathematical
Tables and Formulae. 30th ed. CRC Press. 1996.
48References (Web-sites)
- 9 http//www.nsa.gov/ia/industry/crypto_suite_b.
cfm - 10 http//csrc.nist.gov/cryptval
- 11 http//research.sun.com/projects/crypto/
- 12 http//www.securitytechnet.com/crypto/algorit
hm/ecc.html - 13 http//www.ellipsa.net
- 14 http//www.shamus.ie
- 15 http//www.anyexample.com/programming/java/ja
va_simple_class_to_compute_sha_1_hash.xml - 16 http//www.adastral.ucl.ac.uk/helger/crypto/
link/public/elliptic/point_counting.php - 17 http//files.codes-sources.com/fichier.aspx?i
d41412fSourcecode5CClibrary5Cmiracl5Csourc
e5Ccurve5Cmueller.cpp - 18 http//java.sun.com/j2se/1.4.2/docs/guide/sec
urity/CryptoSpec.htmlAppA - 19 http//csrc.nist.gov/groups/ST/hash/policy.ht
ml - 20 http//csrc.nist.gov/groups/ST/hash/documents
/FR_Notice_Nov07.pdf - 21 http//csrc.nist.gov/publications/PubsFIPS.ht
ml
49References (White Papers)
- 22 ANSI, "Public Key Cryptography for the
Financial Services Industry The Elliptic Curve
Digital Signature Algorithm (ECDSA)", ANSI X9.62,
2005. - 23 ANSI, "Key Agreement and Key Transport
Using Elliptic Curve Cryptography", ANSI
X9.63-199x. 1998. (Note 2001 version exists,
but was unavailable at this time) - 24 Certicom Corp. Standards for Efficient
Cryptography (SEC) SEC 2 Recommended Elliptic
Curve Domain Parameters. Version 1.0. Certicom
Corp. September 20, 2000 - 25 Hankerson, Darrel, Julio Lopez Hernandez,
and Alfred J. Menezes. Software Implementation
of Elliptic Curve Cryptography Over Binary
Fields. 2000. -
- 26 IEEE P1363-2000. Standard Specification for
Public Key Cryptography. - 27 Johnson, Don B. and Alfred J. Menezes.
Elliptic Curve DSA (ECDSA) An Enhanced DSA. - 28 Joux, Antoine, and Reynald Lercier.
Counting Points on Elliptic Curves in Medium
Characteristic. - 29 Kim, Hae Young, Jung Youl Park, Jung Hee
Cheon, Je Hong Park, Jae Heon Kim, and Sang Geun
Hahn. Fast Elliptic Curve Point Counting Using
Gaussian Normal Basis. - 30 Matsui, Mitsuru. How Far Can We Go on the
X64 Processors? Selected paper from 13th
International Workshop, FSE 2006. Fast Software
Encryption. LNCS 4047. Springer. March 2006
50References (White Papers)
- 31 National Institute of Standards and
Technology. Recommendation of Key Establishment
Schemes. Draft 2.0. NIST Special Publication
800-56. January 2003 - 32 Park, Je Hong, Jung Youl Park, and Sang
Geun Hahn. Elliptic Curve Point Counting Over
Finite Fields with Gaussian Normal Basis. - 33 United States Dept. of Commerce/National
Institute of Standards and Technology. FIPS
140-2. Security Requirements for Cryptographic
Modules. Federal Information and Processing
Standards Publication, 2001 -
- 34 United States Dept. of Commerce/National
Institute of Standards and Technology. FIPS
180-2. Secure Hash Standard. Federal
Information and Processing Standards Publication,
2002 - 35 United States Dept. of Commerce/National
Institute of Standards and Technology. FIPS
186-2. Digital Signature Standard (DSS).
Federal Information and Processing Standards
Publication, 2000 - 36 Vercautern, Frederik. The SEA Algorithm in
Characteristic 2.
51Additional Publications
- Note Some of these documents may be in draft
form and not officially released, while other
documents have been superseded. - 37 ANSI, "Public Key Cryptography For The
Financial Services Industry The Elliptic - Curve Digital Signature Algorithm
(ECDSA)", ANSI X9.62, 1998. (Superseded by X9.62-
- 2005)
- 38 Certicom Corp. Standards for Efficient
Cryptography (SEC) SEC 1 Elliptic Curve
Cryptography Version 1.0. Certicom Corp.
September 20, 2000 - 39 United States Dept. of Commerce/National
Institute of Standards and Technology. FIPS - 140-3 (Draft). Security Requirements
for Cryptographic Modules. Federal Information
and - Processing Standards Publication, 2007
-
- 40 United States Dept. of Commerce/National
Institute of Standards and Technology. FIPS 180- - 3 DRAFT. Secure Hash Standard.
Federal Information and Processing Standards - Publication, 2007
- 41 United States Dept. of
Commerce/National Institute of Standards and
Technology. FIPS - 186-3 (Draft). Digital
Signature Standard (DSS). Federal Information
and Processing - Standards Publication, 2006