Elliptic Curve Cryptography Generation and Validation of Domain Parameters in Binary Galois Fields

1
Elliptic Curve CryptographyGeneration and
Validation of Domain Parameters in Binary Galois
Fields

• Peter Wozny
• Rochester Institute of Technology
• M.S. Thesis Presentation
• August 15, 2008

2
Agenda

• Problem Statement
• Fundamentals of Elliptic Curves
• Federal Standards
• Generating Parameters in GF(2m)
• Validation of Parameters Security
  Considerations
• Testing Analysis
• Results Future Work
• Questions
• References

3
Problem Statement

• Federal standards for Elliptic Curve parameters
  are confusing to understand.
• How are these parameters generated?
• Why are there only 5 sets of parameters defined
  for binary Galois fields, and 5 sets for Koblitz
  curves?
• What are the criteria for secure parameters?
• Are there other useful parameters that meet the
  necessary criteria?
• With several published documents, what is the
  real standard?

4
Fundamentals of Elliptic Curves

• Weierstrass Equation
• y2 a1xy a3y x3 a2x2 a4x a6
• Prime fields, binary fields, and optimal
  extension fields.
• Elliptic curves can include complex numbers

5
Elliptic Curve Cryptography

• ECC is competing with RSA as public key
  cryptosystem
• Elliptic Curves are based on cubic equations
• ECC makes use of elliptic curves in which the
  variables and coefficients are elements of a
  finite field
• Two federally approved groups are
• ECC over Prime Fields ( GF (p) )
• ECC over Binary Fields ( GF (2m) )
• Includes Koblitz Curves

6
Federally Approved Curves

• ECC over Prime Fields ( GF (p) )
• y2 x3 - 3x b (as per to NIST FIPS 186-2)
• y2 x3 ax b (as per to ANSI X9.63-2005)
• ECC over Binary Fields ( GF (2m) )
• y2 xy x3 ax2 b
• Koblitz curves have the form
• y2 x y x 3 ax2 1 where a 0 or 1

7
Mathematic of Elliptic Curves GF(2m)

• Recalling y2 a1xy a3y x3 a2x2 a4x
  a6
• And for non-supersingular curves a1 1, a2 A,
  a3 0, a4 0, a6 B
• y2 xy x3 ax2 b
• P ? P where ? is the infinity point
• If P (xP, yP), then (xP, yP) (xP, - a1 xP -
  a3 - yP) ? .
• -P (xP, - a1 x - a3 - yP), or (xP, - xP - yP)
• If P (xP, yP) and Q (xQ, yQ) with P ? -Q and
  P ? Q, then
• R -R (xR, yR)
• Point Doubling P (x0, y0) P (x1, y1)

8
Points on an Elliptic Curve(Example of Points
in Prime Field)
Points for y2 x3 1x 7 (mod 139)
9
Points on a Toroid(Same points plotted on a
toroid)
Toroid of Points for y2 x3 1x 7 (mod 139)
10
Different Bases

• Polynomial Basis
• Interprets each element of a binary Galois field
  as though it were a binary polynomial.
• Represented as binary numbers, and each bit is
  the coefficient of a polynomial equation
• Specified by an irreducible polynomial f(x)
  modulo 2
• Field arithmetic is implemented as polynomial
  arithmetic mod f(x)
• Irreducible polynomials are either trinomials or
  pentanomials
• Normal Basis
• Normal basis elements are represented a little
  differently
• Advantage in implementation of squaring
• Mathematical functions are applied efficiently

11
Basis Conversion

• Normal basis to Polynomial basis as follows
• where ?1 is constructed by a series of
  squaring and reduction algorithms.

12
Basis Conversion

• Polynomial basis to Normal basis as follows
• where ?2 is constructed by a series of
  squaring and reduction algorithms.

13
Conversion Example

• Given a conversion matrix, ?,
• (1001) ? (0100)

• For Elliptic Curves,
• bit-strings gt160
• Conversion Matrix is created by squaring rows,
  take the row with a irreducible polynomial
  modulus, and also utilizing the root of the
  irreducible polynomial.

14
Elliptic Curve Cryptography

• ECC is a public key cryptosystem with several
  advantages
• Smaller domain parameters than RSA
• Less computer overhead (processing and memory)
• More secure than RSA for equal size keys

15
What are the Domain Parameters in GF(2m)

• E The elliptic curve y2 xy x3 ax2 b
• m field size and power or the leading x of the
  irreducible polynomial
• f(x) irreducible polynomial modulus
• a coefficient for the elliptic curve equation
• b coefficient for the elliptic curve equation
• P (xp, yp), a point on the elliptic curve
• n the order of the point, P
• h the cofactor, such that h E(f(2m) )/ n
• h ? 2, 4
• s seed for the hash function for random
  parameter generation

16
How to get Domain Parameters
Domain Parameters
U.S. Federal International Standards
Verifiably Random Parameter Generation
Specific algorithms defined in standards
for generating parameters and validating the
domain parameters, as well as verifying
randomness of the elliptic curve
Parameters that have been computed and published
in standards for various security levels, for
ease of use without the need of the generation
validation process
OR
17
Standards for Domain Parameters

• U.S. federally published standards are available
  from
• ANSI X9.62 2005
• NIST FIPS 186-2 (Jan. 2000)
• IEEE - 1363 (2000, amendment 2004)
• Certicoms documentation SEC-1, SEC-2 (Sept.
  2000)
• European Standards
• ISO 14888-3, 15946
• Recommendation from NESSIE
• New European Schemes for Signatures,
  Identification and Encryption project of the
  EU, similar to AES competition
• Internet Engineering Task Force PKIX, IPSEC,
  S/MIME, TLS
• With several standardswhat is standard?

18
Comparison of the U.S. Standards

• NIST National Institute of Standards and
  Technology
• 5 sets of parameters for prime fields
• 5 sets of parameters for binary Galois fields
• 5 sets of parameters for Koblitz curves
• Prime Field Curve
• 192, 224, 256, 384, 521 bit size standards
• 160 additional in ANSI
• 112, 128, 160 additional in IEEE
• Binary Field Curve
• 163, 233, 283, 409, 571 bit size standards
• 193, 239 additional in ANSI
• 113, 131, 239 additional in IEEE
• Koblitz Curves in 2m
• 163, 233, 283, 409, 571 bit size standards
• Some of these offer multiple sets in ANSI and
  IEEE standards

19
Comparison of the U.S. Standards

• SECG Secure Efficient Cryptography Group
• The standards are consolidated in this document
• 15 sets of parameters for prime fields
• 12 sets of parameters for binary Galois fields
• 6 sets of parameters for Koblitz curves
• Prime Field Curve (including Koblitz sets in
  GF(p))
• 112, 128, 160, 192, 224, 256, 384, 521 bit size
  standards
• Binary Field Curve
• 113, 131, 163, 193, 233, 239, 283, 409, 571 bit
  size standards
• Koblitz Curve in 2m
• 163, 233, 239, 283, 409, 571 bit size standards

20
Reason for 5 Standards Sets
Size is more than twice the symmetric cipher key
length.
Values also yield Koblitz curve base point
orders.
21
NIST Parameters for GF(2163)

• Binary Field (2163)
• m163
• a1 NIST standard sets the EC value for a 1
• h2
• f(x) x163 x7 x6 x3 1
• s 0x 85e25bfe 5c86226c db12016f 7553f9d0
  e693a268
• n 58460065493236116728147424428763906892568432
  01587
• Polynomial Basis
• b 00000002 0a601907 b8c953ca 1481eb10
  512f7874 4a3205fd
• xP 00000003 f0eba162 86a2d57e a0991168
  d4994637 e8343e36
• yP 00000000 d51fbc6c 71a0094f a2cdd545
  b11c5c0c 797324f1
• Normal Basis
• b 00000006 645f3cac f1638e13 9c6cd13e f61734fb
  c9e3d9fb
• xP 00000000 311103c1 7167564a ce77ccb0 9c681f88
  6ba54ee8
• yP 00000003 33ac13c6 447f2e67 613bf700 9daf98c8
  7bb50c7f

22
Generating Random Parameters

• Input Parameters security level, maximum
  cofactor, trial division bound (Imax ), seed, and
  MOV threshold

Generate Curve Coefficients y2 xy x3 ax2 b
Determine Basis (Normal or Polynomial)
Compute Order (Cofactor, seed, )
Generate a Base Point (Cofactor, seed, order)
23
Generating Random Elliptic Curve
24
Hash Functions

• Current standards (FIPS 180-2)
• SHA-1, SHA-256, SHA-384, SHA-512
• SHA-1
• Will be replaced by 2010
• Has collisions
• FIPS 180-3
• Has not been released by NIST
• It includes SHA-224, SHA-256, SHA-384, SHA-512
• It is a files fingerprint

25
Hash Functions
Parsed Message (Block size)
Hash function performs Bitwise modifications In
order to reduce the Size of the output
Smaller Representation of the Block of
Data (Message Digest Size)
26
Generation Algorithms

• For randomly verifiable parameters
• SHA 1 is denoted as the Standard Hash algorithm
  used
• The Point-Counting algorithms used in binary
  fields are
• Schoof, Elkies, Atkins Algorithm
• AGM Arithmetic Geometric Mean
• SST Satoh, Skjernaa, Taguchi algorithm
• MSST Modified Satoh, Skjernaa, Taguchi
  algorithm
• Base Point Order for Koblitz Curves
• Implementation similar to a Lucas Sequence
• Ln Ln-1 Ln-2

27
Generating Base Point
28
Fast Reduction
Fast Reduction algorithms convert data to the 5
NIST standard fields
Reduction in non-standard fields can be performed
using a bit-by-bit reduction. (More time
consuming)
29
Validation Process

• The parameters need to be validated
• ( Show they satisfy the arithmetic requirements
  )
• To prevent malicious insertion of insecure
  parameters
• To detect inadvertent coding or transmission
  errors
• The standards provide algorithms for validating
  the domain parameters for both prime and binary
  fields.
• The criteria are on the following charts.

30
Criteria for Domain Parameters

• The validation of the elliptic curve has four
  criteria for binary Galois fields
• The field must be of the form F(2m), where m
  prime.
• The coefficients of the curve, a and b, when
  converted to binary must have a bit-length of m
  bits.
• The value of b ? 0.
• The seed used to generate the curve must match
  the seed provided.
• Validation of a base point has some additional
  constraints 22.
• The base point, P, is not the infinity point.
• G hP, where P (xP , yP), and h is the
  cofactor.
• P (xP , yP), and each component has bit-length
  equal to m.
• (xP , yP) must satisfy the associated elliptic
  curve equation.
• nP ?.
• If G is not a valid base point then increment
  base and go back to Step 2 in the base-point
  generation algorithm, unless base gt 10h2, in
  which case, output "Failure".
• If P is generated randomly, utilize the
  parameters (h, n, seed) to recreate the base
  point, and compare with the value received.
  These values should match.
• Verify that the MOV and Anomalous conditions are
  met.

31
Necessary Conditions for Secure EC

• According to (ANSI x9.62-2005)
• MOV Condition
• Anomalous Condition

32
MOV Condition

• MOV Condition named after Menezes, Okamoto,
  Vanderstone
• Ensures that the elliptic curve is not vulnerable
  to reduction attacks
• Reduction Attack of MOV
• Reducing a DL problem in Fq to FqB where B 1
• B is the MOV threshold
• In the ANSI standard, B 100
• Not a problem with degree of the field gt160

33
Anomalous Condition

• The anomalous condition is achieved when the
  number of points on an elliptic curve, in a
  designated field does not equal the size of the
  binary field.
• E(F(2m))? 2m

34
Testing Performed

• Re-creating the Standard Elliptic Curves given
  NIST parameters
• Examining the results of the implementation
• Confirming the basis
• AES Algorithm (www.shamus.ie)
• Generating a Randomly Verifiable Elliptic Curve
• Computing the order of a known Koblitz Curves
• Computing the order of Koblitz Curve Base points
  beyond m571 so as to determine other useful
  degrees

35
Randomly Verifiable Test Case

• A prime number degree chosen that was not a NIST
  standard
• Binary Field (2311)
• m311
• a1
• f(z) z311 z7 z5 z3 1
• Generating a PRN for the seed
• Seed FA7D88A5 39D62746 D6652416 44617B3C
  16030324

36
Random EC Curve Coefficients

• Seed FA7D88A5 39D62746 D6652416 44617B3C
  16030324
• Hash a2c087c3 91766f31 86287017 ed2aa5a0
  743d6c8e
• eVal 92915007465859522547452759315694652074166
  8285582
• Normal Basis
• a 1
• b 004087c3 91766f31 86287017 ed2aa5a0
  743d6c8e
• a5408fd0 e4685d67 48182e94 09c07c76
  cf66484c
• b length 311

37
Computing Useful Orders
Implementation of Theorem 4.12 and Lemma 4.13
allows for computing the number of points on an
elliptic curve quickly. Thereby computing the
order of the base point.
38
Steps in Computing Order

• The points on E y2 xy x3 ax2 1
• in F(2) are as follows for the condition that a
  0, or a 1.
• E(F(2)) (?, ?), (0, 0), (0 , 1), (1, 0),
  (1, 1)

39
Steps in Computing Order
For NIST, a 1 and b is computed from the
verifiably random EC.
40
Steps in Computing Order
41
Order of Koblitz Base Point(Beyond m571)
h ? n E(F(2m))
42
Additional Degree Fields

• The degree of Koblitz curves and elliptic curves
  for Binary Galois Fields are the same. Therefore
• other degrees, less than 3000, that would be
  suitable are
• 701, 1153, 1249, 1597, 1621, 1913,
• 2063, 2221, 2437, 2647, and 2909
• Fast reduction algorithms must be developed
  beyond 1140, or bit-by-bit reduction can be used

43
Synopsis of Criteria

• Pseudo-Random Seed bit-length equal to the degree
  of the field
• For NIST requirement, a 1, and b ? 0 having
  bit-length equal to the degree of the field.
• Hash algorithm must have a security level greater
  than or equal to the security level of the
  elliptic curve field degree. SHA-1 hash function
  should be eliminated as a standard, and replaced
  with the SHA-256 function defined in FIPS 180-2
  until the new SHS is determined and released.
• Computing the necessary orders should be
  performed using the most efficient algorithms
  available, such as SST, AGM, or MSST. However,
  the method used for Koblitz curves is beneficial
  to select other field degrees.
• Conversion algorithms and fast reduction
  algorithms should be readily computable for any
  field size, not just specific to the standards.

44
Future Work

• Implementation of the MSST algorithm for any
  Galois field
• Test the SHA-3 Hash functions as they become
  available
• Development of a stand-alone tool with a GUI for
  implementation of Federal standards as well as
  randomly-verifiable elliptic curves for use in
  academia and commercially
• Examining fast-reduction algorithms for other
  non-standard degrees
• Lastly, recommendation to NIST, IEEE, and ANSI
  concerning the termination of using SHA-1 until a
  new hash standard becomes available and
  supersedes SHA-1

45
Thank you
46
References
47
References (Books)

• 1 Hankerson, Darrel, and Alfred Menezes, and
  Scott Vanstone. Guide to Elliptic Curve
  Cryptography, Springer-Verlag, New York 2004.
• 2 Menezes, Alfred J., Paul C. van Oorschot and
  Scott A. Vanstone. Handbook of Applied
  Cryptography, CRC Press. 1996.
• 3 Schneier, Bruce. Applied Cryptography
  Protocols, Algorithms, and Source Code in C,
  Second Edition. John Wiley Sons, 1996
• 4 Stallings, William. Cryptography and Network
  Security. 4th ed. Upper Saddle River Pearson
  Prentice Hall, 2006.
• 5 Trappe, Wade, and Lawrence C .Washington.
  Introduction to Cryptography with Coding Theory.
  2nd ed. Upper Saddle River Pearson Prentice
  Hall, 2006.
• 6 Washington, Lawrence C. Elliptic Curves
  Number Theory and Cryptography. Chapman
  Hall/CRC, 2003.
• 7 Yan, Song Y. Primality Testing and Integer
  Factorization in Public-Key Cryptography. Kluwer
  Academic Publishers, 2004.
• 8 Zwillinger, Daniel. CRC Standard Mathematical
  Tables and Formulae. 30th ed. CRC Press. 1996.

48
References (Web-sites)

• 9 http//www.nsa.gov/ia/industry/crypto_suite_b.
  cfm
• 10 http//csrc.nist.gov/cryptval
• 11 http//research.sun.com/projects/crypto/
• 12 http//www.securitytechnet.com/crypto/algorit
  hm/ecc.html
• 13 http//www.ellipsa.net
• 14 http//www.shamus.ie
• 15 http//www.anyexample.com/programming/java/ja
  va_simple_class_to_compute_sha_1_hash.xml
• 16 http//www.adastral.ucl.ac.uk/helger/crypto/
  link/public/elliptic/point_counting.php
• 17 http//files.codes-sources.com/fichier.aspx?i
  d41412fSourcecode5CClibrary5Cmiracl5Csourc
  e5Ccurve5Cmueller.cpp
• 18 http//java.sun.com/j2se/1.4.2/docs/guide/sec
  urity/CryptoSpec.htmlAppA
• 19 http//csrc.nist.gov/groups/ST/hash/policy.ht
  ml
• 20 http//csrc.nist.gov/groups/ST/hash/documents
  /FR_Notice_Nov07.pdf
• 21 http//csrc.nist.gov/publications/PubsFIPS.ht
  ml

49
References (White Papers)

• 22 ANSI, "Public Key Cryptography for the
  Financial Services Industry The Elliptic Curve
  Digital Signature Algorithm (ECDSA)", ANSI X9.62,
  2005.
• 23 ANSI, "Key Agreement and Key Transport
  Using Elliptic Curve Cryptography", ANSI
  X9.63-199x. 1998. (Note 2001 version exists,
  but was unavailable at this time)
• 24 Certicom Corp. Standards for Efficient
  Cryptography (SEC) SEC 2 Recommended Elliptic
  Curve Domain Parameters. Version 1.0. Certicom
  Corp. September 20, 2000
• 25 Hankerson, Darrel, Julio Lopez Hernandez,
  and Alfred J. Menezes. Software Implementation
  of Elliptic Curve Cryptography Over Binary
  Fields. 2000.
• 26 IEEE P1363-2000. Standard Specification for
  Public Key Cryptography.
• 27 Johnson, Don B. and Alfred J. Menezes.
  Elliptic Curve DSA (ECDSA) An Enhanced DSA.
• 28 Joux, Antoine, and Reynald Lercier.
  Counting Points on Elliptic Curves in Medium
  Characteristic.
• 29 Kim, Hae Young, Jung Youl Park, Jung Hee
  Cheon, Je Hong Park, Jae Heon Kim, and Sang Geun
  Hahn. Fast Elliptic Curve Point Counting Using
  Gaussian Normal Basis.
• 30 Matsui, Mitsuru. How Far Can We Go on the
  X64 Processors? Selected paper from 13th
  International Workshop, FSE 2006. Fast Software
  Encryption. LNCS 4047. Springer. March 2006

50
References (White Papers)

• 31 National Institute of Standards and
  Technology. Recommendation of Key Establishment
  Schemes. Draft 2.0. NIST Special Publication
  800-56. January 2003
• 32 Park, Je Hong, Jung Youl Park, and Sang
  Geun Hahn. Elliptic Curve Point Counting Over
  Finite Fields with Gaussian Normal Basis.
• 33 United States Dept. of Commerce/National
  Institute of Standards and Technology. FIPS
  140-2. Security Requirements for Cryptographic
  Modules. Federal Information and Processing
  Standards Publication, 2001
• 34 United States Dept. of Commerce/National
  Institute of Standards and Technology. FIPS
  180-2. Secure Hash Standard. Federal
  Information and Processing Standards Publication,
  2002
• 35 United States Dept. of Commerce/National
  Institute of Standards and Technology. FIPS
  186-2. Digital Signature Standard (DSS).
  Federal Information and Processing Standards
  Publication, 2000
• 36 Vercautern, Frederik. The SEA Algorithm in
  Characteristic 2.

51
Additional Publications

• Note Some of these documents may be in draft
  form and not officially released, while other
  documents have been superseded.
• 37 ANSI, "Public Key Cryptography For The
  Financial Services Industry The Elliptic
• Curve Digital Signature Algorithm
  (ECDSA)", ANSI X9.62, 1998. (Superseded by X9.62-
  
• 2005)
• 38 Certicom Corp. Standards for Efficient
  Cryptography (SEC) SEC 1 Elliptic Curve
  Cryptography Version 1.0. Certicom Corp.
  September 20, 2000
• 39 United States Dept. of Commerce/National
  Institute of Standards and Technology. FIPS
• 140-3 (Draft). Security Requirements
  for Cryptographic Modules. Federal Information
  and
• Processing Standards Publication, 2007
• 40 United States Dept. of Commerce/National
  Institute of Standards and Technology. FIPS 180-
• 3 DRAFT. Secure Hash Standard.
  Federal Information and Processing Standards
• Publication, 2007
• 41 United States Dept. of
  Commerce/National Institute of Standards and
  Technology. FIPS
• 186-3 (Draft). Digital
  Signature Standard (DSS). Federal Information
  and Processing
• Standards Publication, 2006