Elliptic Curve Cryptography
by
Kai Laemmle
(Under the direction of Matthew Baker)
Abstract
We will introduce the reader to elliptic curves, and explain how they can be used for cryptography and why they are more difficult to attack in comparison to systems based on finite fields, such as the famous RSA algorithm. This expository paper will discuss different algorithms to attack cryptographic systems, such as the index calculus method, Shanks’ algorithm, Pollard’s rho method and the pairing attack. Finally, we will construct the Weil pairing, prove some of its important properties and present an algorithm to compute it. The study of attacks on cryptographic systems can help to reveal that a certain cryptographic protocol is weak and therefore that it should not be used. The reader should have background in algebra, basic number theory and some cryptography, such as the RSA algorithm. No background in elliptic curves or in algebraic geometry is required, but may be helpful.
Index words: Elliptic curve cryptography, Discrete logarithm problem, Shanks’ Baby-Step Giant-Step algorithm, Pollard’s rho method, Index calculus method, Pairing attack, MOV/Frey-R¨uck attack, Weil pairing, Computing the Weil pairing Elliptic Curve Cryptography
by
Kai Laemmle
Vordiplom (equiv. B.A.), University of Hannover, Germany, 2001
A Thesis Submitted to the Graduate Faculty of The University of Georgia in Partial Fulfillment of the Requirements for the Degree
Master of Arts
Athens, Georgia
2003 c 2003 Kai Laemmle All Rights Reserved Elliptic Curve Cryptography
by
Kai Laemmle
Approved:
Major Professor: Matthew Baker
Committee: Robert Rumely Robert Varley
Electronic Version Approved:
Maureen Grasso Dean of the Graduate School The University of Georgia December 2003 Acknowledgments
I address special thanks to Christina Geisler, Kyunglim Nam, Jeff Thompson, Markus Hunziker, Kareem Shabana, Charles James and Allison Barfield for your support and your friendship. Thank you to Michael Guy who encouraged and sup- ported me in common classes, to Janice Winner and to International Student Life of the University of Georgia who helped me very much when I arrived in the United States, and to Nicole Schulze who was right when she suggested to study abroad for a while. I also thank Matt Baker and the other committee members for your academic advice and cooperation. Thanks to all friends I did not mention above and all good things happened to me during my stay in Athens.
iv Table of Contents
Page
Acknowledgments ...... iv
Chapter
1 Introduction ...... 1 1.1 Idea of Cryptography ...... 1 1.2 Overview ...... 2 1.3 Why Elliptic Curve Cryptosystems? ...... 3
2 Applications of Elliptic Curves in Cryptography . . . . . 4 2.1 Elliptic Curves And Cryptography ...... 5 2.2 Analog of Diffie-Hellman Key-Exchange Protocol 8 2.3 Analog of Massey-Omura ...... 9 2.4 Analog of ElGamal ...... 10
3 Encoding ...... 12 3.1 An Encoding Algorithm ...... 13 3.2 Square Test ...... 16
3.3 Computing Square Roots In Fp ...... 21
4 The Discrete Logarithm Problem ...... 27 4.1 The DLP and the Security of Cryptosystems . . . . 27 4.2 Comparing Algorithms on the DLP ...... 29 4.3 Shanks’ Baby-Step Giant-Step Algorithm ...... 30 4.4 Pollard’s Rho Method ...... 32
v vi
4.5 The Index Calculus Method ...... 33
5 The Weil Pairing ...... 36 5.1 The Pairing Attack In General ...... 36 5.2 Preparation for the Weil Pairing ...... 39 5.3 Definition and Properties of the Weil Pairing . . . 43 5.4 Computing the Weil Pairing ...... 48 5.5 Proving Properties of the Weil Pairing ...... 55
Bibliography ...... 62 Chapter 1
Introduction
1.1 Idea of Cryptography
Alice wants to send a message to Bob using a public channel. What does Alice do, if only Bob should be able to read the message? She uses methods of cryptography, for instance a public key cryptosystem: Bob creates a so-called public key and a corresponding private key. The public key is known to every user and is used to encrypt a message. The private key is only known to Bob and is used to decrypt the message. Alice uses the public key of Bob to encrypt her message and sends the encrypted message to Bob. Bob, having his secret information (his secret or private key) can now decrypt the message. Without Bob’s secret key, it should be very hard to decrypt the message. The main idea of cryptography is that decryption is easy when one has cer- tain secret information, but without that information, it is very difficult (or even impossible in a reasonable amount of time) to decrypt the message. In general, when somebody makes up a new cryptosystem, its security will usu- ally be either disproved (for instance, by an algorithm cracking it) or else its security will be believed after a long number of unsuccessful attempts at breaking the cryp- tosystem. So, we might rephrase one of the above paragraphs: The main idea of cryptog- raphy is that decryption is easy when one has certain secret information, but without
1 2 that information, it is believed to be very hard (or even impossible in a reasonable amount of time) to decrypt the message.
1.2 Overview
We will explain how to use elliptic curves for encryption and decryption in chapter 2. There, we will discuss the Diffie-Hellman Key-Exchange protocol and the Diffie- Hellman problem, and we will look at two cryptosystems adapted to elliptic curves, namely the Massey-Omura protocol and the ElGamal protocol. While chapter 2 deals with points on elliptic curves, we actually want to encrypt and decrypt messages. Filling this gap, i.e. embedding messages as points on a given elliptic curve, is called encoding. We will talk about how we can encode messages as points on an elliptic curve in chapter 3. The encoding algorithm needs a square test modulo p, and it involves computing square roots modulo p. The strength of cryptosystems based on discrete exponentiation relies on the fact that the inverse operation, the discrete logarithm problem (DLP), is considered very hard to solve. In chapter 4, we will discuss the DLP and introduce some attacks on it, such as the index calculus method, Shanks’ Baby-Step Giant-Step algorithm and Pollard’s rho method. Knowing under which conditions these attacks are efficient helps to avoid weak cryptosystems when one is choosing or designing a cryptosystem. In Chapter 5, we focus on one particular class of attacks on the DLP on an elliptic curve, namely pairing attacks, and we will discuss one particular example, the Weil pairing attack, in detail. The goal of pairing attacks is to reduce the DLP for elliptic curves to the DLP for multiplicative groups of finite fields. 3
1.3 Why Elliptic Curve Cryptosystems?
The RSA cryptosystem is difficult to crack, because it is believed to be very hard to decompose large composite numbers into their prime factors in a reasonable amount of time. A cryptosystem based on discrete exponentiation, such as the Diffie-Hellman protocol, is difficult to attack because the discrete logarithm problem is believed to be hard to solve. It is a good idea to use a combination of cryptosystems, involving both the dis- crete logarithm problem and the difficulty of factoring large numbers. Besides adding versatility, cryptosystems based on discrete exponentiation need smaller parameters than comparable RSA-type cryptosystems. This explains why we would like to use discrete logarithms. But why do we not just base our algorithms on multiplicative groups of finite fields rather than elliptic curves, since arithmetic on finite fields is much easier? There is no known “efficient” algorithm to crack a general elliptic curve cryp- tosystem, if we choose our elliptic curve cryptosystem to satisfy certain conditions. Though the index calculus method, which is based on factor bases, solves the DLP for multiplicative groups of finite fields “efficiently”. This attack does not seem to work for elliptic curve cryptosystems, since there is no known analogue of factor bases on elliptic curves. An “efficient” algorithm means a so-called subexponential algorithm, which is better than exponential running time, but worse than polynomial running time. Let p be the input size. Then 5 log3 p + 3 log p is polynomial in log p (we just say “polynomial”), and p5 + log p is exponential (in log p). The expected running time √ of the index calculus method is O(e 2 log p log log p), which is subexponential. Chapter 2
Applications of Elliptic Curves in Cryptography
In this chapter we will discuss some examples of how elliptic curves can be used for cryptographic purposes. We will present the Diffie-Hellman Key-Exchange protocol, the Massey-Omura protocol and the ElGamal protocol adopted to elliptic curves. These protocols can also be implemented over finite multiplicative groups (see [6]). Elliptic curve cryptosystems can be used to create a common secret with commu- nication over a public channel, which is achieved, for instance, by the Diffie-Hellman Key-Exchange protocol. This common secret can serve as a private key to encrypt and decrypt a message, as in the ElGamal protocol outlined at the end of this chapter. While the ElGamal protocol requires a base point B of the elliptic curve, where B should have a high order, preferably close to the number of points on the elliptic curve, the Massey-Omura protocol needs the number of points of an elliptic curve over a fixed field, which can be computed using Schoof’s algorithm (see [11]). Another disadvantage of Massey-Omura is that it requires more back-and-forth communication, which, in practice, is often a major disadvantage, and which also makes more information accessible to the public, and which therefore might make the protocol more vulnerable. At the end of the section on the Diffie-Hellman protocol, we will mention the Diffie-Hellman problem, which is related to the security of this cryptosystem.
4 5
2.1 Elliptic Curves And Cryptography
Like in the RSA algorithm, we represent a message as an integer. Since elliptic curves consist of points instead of integers, we have to embed the set of all possible messages into the points on our elliptic curves. This step is called encoding and is described in chapter 3. Here, we will focus on how an encoded message, i.e. a point on a given elliptic curve, can be encrypted and decrypted. First, we will address the questions “What is an elliptic curve?” and “How can we do arithmetic over an elliptic curve?”.
Definition 2.1.1 Let K be a field of characteristic 6= 2, 3, and let x3 +ax+b (where a, b ∈ K) be a cubic polynomial with no multiple roots.
1. An elliptic curve over K is the set of all points (x, y) with x, y ∈ K which satisfy the equation
y2 = x3 + ax + b (Weierstrass normal form)
together with a single element denoted 0 and called the “point at infinity”.
2. We use the notation E(K) := {(x, y) ∈ K2 | y2 = x3 + ax + b} ∪ {0}. If it is clear from the context what our base field is, then we write E instead of E(K).
Remark The definition can be generalized to a field of any characteristic. There is also a more geometric definition based on some concepts in algebraic geometry. We refer the reader to [12]. The Group Structure. The set of all points on an elliptic curve forms an abelian group. How do we add two points? If we are given two points P,Q ∈ E(K) with P,Q 6= 0, then the chord through the points P,Q intersects the curve in a third point R (if the chord is vertical, then the third point is the point at infinity, and if 6
P = Q then we take the line tangent to the curve E at the point P ). We reflect R across the x-axis to obtain P + Q. If one of P or Q is the point at infinity, say Q, then the chord through P and Q is a vertical line intersecting the curve with P, 0, and a third point R which is the reflection of P across the x-axis. As above, reflect this point across the x-axis to get P + 0, which leads us back to P . In other words, P + 0 = P . And similarly, we have 0 + Q = Q. For more details on the group structure, and a nice picture, see [6], pp. 168–169. Do we really know that this operation together with E forms a group? Besides showing that 0 is the identity, that every element has an inverse, and that the operation is commutative (all of which follow directly from the definition), one has to show that the operation is associative, which is not obvious (for a proof, see [14], section “The Group Law”).
Example 2.1.2 Given the elliptic curve E : y2 = x3 + 17 over the field Q. Let P := (−1, 4) and Q := (2, 5). The line going through these two points is given by y = 1/3x + 13/3. This line intersects E in three points, namely P,Q and a third point R := (−8/9, 109/27). If we reflect this point across the x-axis, we get P + Q = (−8/9, −109/27).
Lemma 2.1.3
Let P := (x1, y1),Q := (x2, y2), and P + Q := (x3, y3). If P 6= Q then 2 y2 − y1 x3 = − x1 − x2 x2 − x1 y2 − y1 y3 = −y1 + (x1 − x3) x2 − x1 If P = Q then P + Q = 2P has the following coordinates: 2 2 3x1 + a x3 = − 2x1 2y1 2 3x1 + a y3 = −y1 + (x1 − x3) 2y1 7
These formulas hold in any characteristic (except for characteristic 2). If our base
field is Fq, where q is a power of a prime number, then x3 and y3 can be computed 3 in at most 20 operations in Fq. Since one operation in Fq takes O(log q), we can compute P + Q in O(log3 q) (see [6], p. 178). While the RSA algorithm is based on arithmetic over the integers, elliptic curve cryptosystems take advantage of the group structure of elliptic curves. Suppose we are given a message encoded as a point P on an elliptic curve, and we want to encrypt this point. A possibility is to use a positive integer e to encrypt P in the following way: eP = P + P + ··· + P | {z } e times Here, the encrypted message is the point eP , and the encryption key is an integer. In elliptic curve cryptography, encryption and decryption keys are either integers, as in the example above, or certain points on the elliptic curve. The operation above, multiplying the point P by e to get eP , in elliptic curve cryptosystems corresponds to taking the group element g and raising it to the power e to obtain ge in a finite multiplicative group. How quick can we compute eP ? The idea is to use the repeated doubling method:
Example 2.1.4 (taken from [6]) To find 100P we write 100P = 2(2(P + 2(2(2(P + 2P ))))), and end up performing 6 doublings and 2 additions of points on the curve.
This idea results in log e group operations in E(Fq) to calculate eP based on P . Since 3 3 one group operation in E(Fq) takes O(log q), it takes O(log e log q) to compute eP . Let us have a look at three examples illustrating how we can use elliptic curves for cryptographic purposes. These three examples are protocols originally based on
(Z/(nZ))∗, and in the following sections, the protocols are adapted to elliptic curves. 8
2.2 Analog of Diffie-Hellman Key-Exchange Protocol
Originally, the protocol was applied to (Z/(nZ))∗ (see [6], p.98) and was later adapted to elliptic curves. In this section, we will only discuss the version of this protocol for elliptic curves. A¨ıdaand Bernardo want to share a common secret key. This secret key can be used to encrypt and decrypt messages. They can only communicate via a public channel. How is it possible that they agree on a common secret while their commu- nication is accessible to the public? The idea is that this protocol takes advantage of the difficulty to solve the so-called Diffie-Hellman problem (see end of this section).
First, A¨ıdaand Bernardo agree on a finite field Fq, on an elliptic curve E and on a base point B. It is desirable that the order of B has the same magnitude as the number of points of E(Fq). These parameters are publicly known, i.e. it is okay to use the public channel to appoint them:
1. Public: finite field Fq, elliptic curve E, base point B
2. Secret: A¨ıda a, Bernardo b Then A¨ıdaand Bernardo choose an arbitrary integer individually, and they keep them secret, i.e. A¨ıdadoes not know b, and Bernardo does not know a.
3. Public: aB, bB Afterwards, they calculate and publish aB, respectively bB.
4. Secret: abB A¨ıdagets bB, knows a and calculates a(bB) = abB. Similarly, Bernardo com- putes b(aB) = abB.
Now, they share the information abB. Is it really a secret? Eve observing the commu- nication channel of A¨ıdaand Bernardo would get aB and bB (of course, she would 9 know B together with Fq and E). Is it possible to determine abB from aB, bB, B? This is actually a hard problem, and it is called the Diffie-Hellman problem. If one is able to solve this problem, then (s)he would be able to crack the Diffie-Hellman protocol. A related problem is the so-called Discrete Logarithm problem (DLP), which will be discussed later.
2.3 Analog of Massey-Omura
The Massey-Omura protocol for (Z/(nZ))∗ is discussed in [6], p.100. In this section, we will describe the protocol adapted to elliptic curves. Alice intends to send a secret message to Bob. As discussed in the introduction of this chapter, the Massey-Omura protocol has some disadvantages, namely that more back-and-forth communication is required and the number of points of elliptic curve must be known.
Setup
1. Public: Fq: finite field, E: elliptic curve, N: number of points on E
2. Secret: encryption key of Alice eA, encryption key of Bob eB Alice and Bob choose individually an arbitrary secret integer between 1 and N, such that this integer and N are coprime.
3. Secret: decryption key of Alice dA, decryption key of Bob dB
−1 Both compute their corresponding decryption key dA ≡ eA mod N respec- −1 tively dB ≡ eB mod N using Euclid’s algorithm. 10
Alice sends a secret message m to Bob. 1. Secret: Alice m: message represented as an integer, M ∈ E: encoded message.
2. Public: eAM Alice encrypts the encoded message M in order to send it to Bob.
3. Public: eB(eAM) = eAeBM
Bobs multiplies the point eAM with his encryption key.
4. Public: dA(eAeBM) = eBM Alice multiplies the point by her decryption key.
5. Secret: dB(eBM) = M Bob multiplies the point by his decryption key receiving the encoded message.
Eve observing the communication channel of Alice and Bob perceives eAM, eAeBM, eBM. If Eve is able to determine eA from these three points, then she
−1 can compute the decryption key dA ≡ eA mod N, like Alice did, breaking the
Massey-Omura protocol by computing M = dA(eAM).
2.4 Analog of ElGamal
We will discuss the ElGamal protocol adapted to elliptic curves. The version for
(Z/(nZ))∗ of this protocol is described in [6], pp.100–101. Anuita would like to send a secret message, represented by the point M, to Bj¨orn. Instead of the number of points of the elliptic curve E, we need a base point B of high order (desirably of the same magnitude as #E).
1. Public: Fq: finite field, E: elliptic curve, B: base point in E
2. Secret: Anuita aA, Bj¨orn aB: secret key of Anuita/Bj¨orn Both choose an arbitrary integer individually. 11
3. Public: aBB Bj¨orn computes and publishes this point.
4. Public: aAB,M + aA(aBB) Anuita computes and publishes these two points.
5. Secret: M + aA(aBB) − aB(aAB) = M Bj¨orn receives the encoded message M.
Open to the public are the points B, aBB, aAB,M + aAaBB. Is it possible to deter- mine M from these points?
Notice that this algorithm uses the Diffie-Hellman protocol: The point aAaBB masks the message M. Consider aAaBB as a common secret of Anuita and Bj¨orn. Determining M from the four points mentioned above is equivalent to computing the mask point aAaBB.
Since M can be anything, the point M + aAaBB does not help to compute aAaBB from B, aBB, aAB. Indeed, cracking this cryptosystem is equivalent to crack the Diffie-Hellman protocol. Chapter 3
Encoding
This chapter answers the question “How can we use an elliptic curve E for encryption and decryption?”, or more precisely “How can we connect messages we want to encrypt and decrypt to points on an elliptic curve?”. Making this connection is called encoding. First, we will present an encoding algorithm, which requires a square test, and involves computing the square root modulo p. As in the RSA algorithm, we represent a message as an integer m in a certain interval, e.g. 0 ≤ m < M, where M ∈ Z. So, we consider M different possible messages.1 If we want to do arithmetic on an elliptic curve, we have to somehow embed all possible messages into the elliptic curve, or more precisely into its points over a chosen and fixed finite field. In other words, we will represent every possible message as a point on our elliptic curve. Then, we will use arithmetic of our elliptic curve, i.e. its group structure, to encrypt and decrypt the message. Note that we have to distinguish two steps. The first step is representing the message as a point on the elliptic curve (encoding), and the second step is the actual encryption. After Bob receives the encrypted message from Alice, he decrypts it to get the point on the elliptic curve representing the actual message. We want it to be easy to recover (“decode”) the message from the point representing it.
1In practice, the length of a message can vary a lot, so it makes sense to divide a message into parts and to treat every part separately.
12 13
We require two properties for encoding:
• That it is injective, so that the inverse process (“decoding”) can be performed without loss of information.
• That “decoding”, i.e. recovering the message m from the encoded point, is easy to compute (e.g. we might get the message back from the x-coordinate of the point).
Usually, the encoding and decoding algorithm are publicly known, and so are the encryption and decryption algorithms. The only things which are kept secret are the secret keys.
3.1 An Encoding Algorithm
Now, let us look at an algorithm which represents each possible message as a point on a given elliptic curve. Unfortunately this algorithm is probabilistic, but we can make the probability that the encoding fails as small as we want. For simplicity, let us assume that our given finite field has characteristic p 6= 2, 3, so that our elliptic curve E can be represented in Weierstrass normal form y2 = x3 + ax + b, where a, b live in our given field. Furthermore, let us suppose that our
field is Fp, i.e. a finite field of order p. We have to make sure that we have enough points on our elliptic curve, one for each possible message. This means that our given field has to be large enough. Let m be the message we want to represent as a point on our elliptic curve. We take x := m mod p to be the x-coordinate of our anticipated point. A problem is that f(x) := x3 + ax + b has to be a square modulo p, in order that x corresponds to a point on the curve. The probability that f(x) is a square modulo p is roughly 1/2, i.e. in half of the cases, the chosen x-coordinate does not belong to a point on the elliptic curve. 14
Once we have fixed an x-coordinate, we calculate f(x). Using a square test, we can check whether there is a point on the elliptic curve with this x-coordinate. If there is such a point, i.e. if f(x) is a square modulo p, then we compute a square root of f(x) modulo p to obtain the y-coordinate, and then take (x, y) as the point on E representing the message; in other words, the encoded message is (x, y).2 But, in half of the cases, the square test will tell us that f(x) for the chosen x-coordinate is not a square modulo p. So, we have a failure probability of 50%, which is very high. What do we do if we want to increase the probability that the encoding does not fail, i.e. that the chosen x-coordinate yields a point on E? Let us assume that we are satisfied with a failing probability of 1/2κ, and κ is big enough.3 So far, one message, represented as an integer, corresponds to one x-coordinate. Now, suppose that one message is allowed to correspond to κ different x-coordinates. Then we can try each of the κ x-coordinates corresponding to the message, and check whether they belong to a point on E. This certainly decreases the failure probability. The idea is to space out the possible messages. Instead of taking the possible messages 0, 1, 2, 3,...,M − 1 to encode, we take 0, κ, 2κ, 3κ, . . . , (M − 1)κ. Between mκ and (m+1)κ, we have κ different numbers, from mκ+1 to (m+1)κ, representing the message m. We try to encode mκ+1. If this fails, we continue with mκ+2, then mκ+3. We repeat this until we successfully encode or until we fail to encode mκ+κ. There are at most κ encoding attempts for the message m. Assuming probabilistic independence, we get a failure probability of 1/2κ. Note that we do not try to find a square root of mκ + 1, mκ + 2,... modulo p, but of f(mκ + 1), f(mκ + 2),...
2Note that we have to decide which square root of f(x) we choose for y. 3in practice, κ = 30 or = 50 is enough 15
Algorithm 3.1.1 Encoding Fixed: prime number p 6= 2, 3 elliptic curve E in Weierstrass normal form y2 = x3 + ax + b error tolerance 2−κ
Input: message m with 0 ≤ m < M, and M ∈ Z Output: encoded point P for j = 1 to κ do x := mκ + j mod p, with 0 ≤ x < p
3 calculate f(x) := x + ax + b ∈ Fp if f(x) is a square mod p then // need square test modulo p y := square root of f(x) mod p // need to calculate square root mod p // finish algorithm and return encoded message as point return P := (x, y) end for return “algorithm failed” // found no point on E
Why do we first test whether f(x) is a square, and only then calculate a square root? Is it not quicker to calculate a square root (which would fail, if we did not have a square) without a prior square test? No, it is not. In the following sections, we will discuss a square test with running time O(log2p) and an algorithm to compute the square root, which has running time O(log4p). Here, log2p means (log p)2, not log log p. With the prior square test, we have a running time of O(κ log2p + log4p). If we leave out the square test, we get a running time of O(κ log4p). Though both variants yield a running time of O(log4p), we should prefer the prior square test, since κ log2p + log4p is better than κ log4p. 16
3.2 Square Test
Given an integer a and a prime number p 6= 2, 3, and we want to know whether a is a square modulo p, i.e. whether there is an x ∈ Z, such that x2 ≡ a mod p. We remind the reader of the Legendre symbol: 1 if a is a square modulo p, and a 6≡ 0 mod p a = 0 if a ≡ 0 mod p p −1 otherwise
We only have to compute the Legendre symbol in order to test whether we have a square. The quadratic reciprocity law is very useful for computing the Legendre symbol, but it requires that the top is a prime number: p p−1 · q−1 q = (−1) 2 2 for p and q odd primes. q p
Do we therefore need to factor the number a into its prime factors? Since this is in general very hard to compute, we hope that there is a way to avoid factorization. The Kronecker symbol4, which is a generalization of the Legendre symbol, helps to
a compute p without knowing the prime factorization of a. While the Legendre symbol expects an odd prime number at the bottom, the