Elliptic Curves Guilhem Castagnos September – December 2020 last updated: August 29, 2020 Contents I The Discrete Logarithm Problem 1 1 Bibliography . 1 2 Asymmetric and Symmetric Cryptography . 1 3 The Discrete Logarithm Problem . 2 3.1 Definitions . 2 3.2 Algorithms for Computing Discrete Logarithms . 3 II First Cryptographic Applications 9 1 Diffie-Hellman (76) . 9 2 Elgamal Encryption (84) . 9 3 Digital Signature . 10 3.1 Definition . 10 3.2 Elgamal Signature (84) . 10 4 Elliptic Curve Cryptography . 11 4.1 ECDSA. 11 4.2 EC-Schnorr . 12 4.3 How to generate an elliptic curve suitable for cryptography . 12 III Pairings for Cryptography 15 1 Weil and Tate Pairings . 15 2 MOV Attack . 17 3 Pairing Friendly curves . 18 IV Some Pairing-based Cryptographic Protocols 19 – iii – CONTENTS – iv – Chapter I The Discrete Logarithm Problem 1. Bibliography • In French: Courbes elliptiques - Une présentation élémentaire pour la cryptographie, Philippe Guillot, Édi- tions Hermes-Lavoisier, (2010) • Elliptic Curves and Their Applications to Cryptography — An Introduction, Andreas Enge, Kluwer Aca- demic Publishers (1999), Bilinear pairings on elliptic curves, Andreas Enge, L’Enseignement Mathéma- tique, https://hal.inria.fr/hal-00767404/ (2015) • Handbook of Elliptic and Hyperelliptic Curve Cryptography, Henri Cohen, Gerhard Frey, Chapman & Hall/CRC (2006) • ThearithmeticofEllipticCurves, Joseph H. Silverman, Springer, 2nd Edition (2009), in particular chap- ter XI, Algorithmic Aspects of Elliptic Curves • Mathematics of Public Key Cryptography, Steven Galbraith, Cambridge University Press (2012), in par- ticular Part II Algebraic Groups and Part V Cryptography Related to Discrete Logarithms 2. Asymmetric and Symmetric Cryptography In cryptography, Elliptic Curves are mainly used for asymmetric cryptography. Differences between Symmetric and Asymmetric Cryptography: For example, encryption Schemes : to protect confidentiality between Alice and Bob. – 1 – Chapitre I : The Discrete Logarithm Problem Symmetric Encryption Scheme Oscar Alice Bob 푠푘 푠푘 Encrypt Decrypt 푠푘(푚A) = 푐A 푠푘(푐A) = 푚A Encrypt Decrypt 푠푘(푚B) = 푐B 푠푘(푐B) = 푚B 푚A, 푚B: plaintexts (messages clairs), 푐A, 푐B: ciphertexts (messages chiffrés), Encrypt : encryption scheme (Algorithme de chiffrement), Decrypt : decryption scheme (Algorithme de déchiffrement), 푠푘: secret or private key Asymmetric Encryption Scheme Bob Alice 푝푘, 푠푘 Encrypt (푚) = 푐 Decrypt 푝푘 푠푘(푐) = 푚 푝푘: public key, 푠푘: private key Symmetric vs Asymmetric Symmetric cryptography: security is based on the size of the key (only attack must be exhaustive search: 푘 bits key, 2푘 operations), Fast, Encryption (e.g. AES), MAC (for integrity and authentication), Hash Functions (for integrity, e.g. the SHA family),… Asymmetric cryptography: security is based on the difficulty of on algorithmic problem. Key size is chosen in order to make this problem intractable. Slower than symmetric cryptography, Key exchange (e.g. Diffie-Hellman), Encryption (e.g. RSA), Digital Signature (e.g. DSA, for integrity, authentication and non repudiation). Security of cryptosystems based on elliptic curves mostly rely on algorithmic problems related to the discrete logarithm problem. 3. The Discrete Logarithm Problem 3.1. Definitions 2 3 푛 We consider a cyclic group of order 푛, (G, ×) generated by 푔 ∈ G, i.e., ⟨푔⟩ = {푔, 푔 , 푔 , … , 푔 = 1} = G. In general, 푛 will be a prime number (cf. Pohlig–Hellman Algorithm). – 2 – 3. The Discrete Logarithm Problem Examples × × For example a subgroup of (Z/푝Z) with 푝 prime. (Z/푝Z) is cyclic of order 푝 − 1. If 푛 divides 푝 − 1, there × 푑 × exists 푔 ∈ (Z/푝Z) of order 푛. More generally, a subgroup of a finite field F푞 (푞 = 푝 ) as (F푞) is cyclic of order 푞 − 1. The group of points of an Elliptic Curve. Order is by Hasse: |E(F푞) − (푞 + 1)| ⩽ 2√푞, then we consider a subgroup of prime order 푛. In this case, we will use additive notations: (G, +) with G = {P, 2P, 3P, … , 푛P = O}. The Discrete Logarithm Problem Let ℎ ∈ 푔. Weknow that ℎ = 푔푥 for some 푥. Finding 푥 is solving the Discrete Logarithm Problem. Wewill denote 푥 = log푔(ℎ). We can define 푥 modulo 푛: Let us consider the group morphism 푒푥푝푔 ∶ (Z/푛Z, +) → 푎 푎 푏 (G, ×), 푎 ↦ 푔 . It is well-defined: if 푎 = 푏 + 푘푛, 푒푥푝푔(푎) = 푔 = 푔 = 푒푥푝푔(푏). It is a morphism : 푒푥푝푔(푎 + 푏) = 푒푥푝푔(푎) × 푒푥푝푔(푏). It is an isomorphism (a bijective morphism): same number of elements and injective: 푒푥푝푔(푎) = 1, 푛 ∣ 푎, so 푎 = 0. The discrete logarithm is the inverse function, so it is a morphism from (G, ×) to (Z/푛Z, +). Properties If 푔 and 푔′ are two generators then 푔′ = 푔푎 with 푎 invertible modulo 푛: indeed, there exits also 푏 such that 푏 푔 = 푔′ = 푔푎푏, so 푎푏 ≡ 1 mod 푛. Conversely, if ℎ = 푔푎 with 푎 invertible then ℎ is a generator: if ℎ푏 = 1 then 푔푎푏 = 1 so 푎푏 ≡ 0 and 푏 ≡ 0. ′ 푎 ′푏 Change of generator: If 푔, 푔 are two generators, ℎ = 푔 et ℎ = 푔 , i.e., log푔(ℎ) = 푎 and log푔′ (ℎ) = 푏. We ′ ′ 푐 푏푐 푎 ′ denote 푐 = log푔 푔 . Then 푔 = 푔 so ℎ = 푔 = 푔 and 푎 ≡ 푏푐. As a result, log푔(푔) = log푔′ (ℎ) × log푔 푔 , or ′−1 ′ log푔′ (ℎ) ≡ log푔(푔) log푔 푔 where this last term is invertible because 푔 is a generator. As a result, if we know how to compute discrete logarithms in basis 푔 then we can do it in basis 푔′. The difficulty of computing discrete logarithms only depends on the group and not on the generator chosen. Remark that the discrete logarithm problem can be easy: For example in G = (Z/푛Z, +). 푔 is a generator if and only if gcd(푔, 푛) = 1. Indeed, we know that 1 is a generator as G = {1, 2, 3, … , 푛 = 0} = {1, 2 × 1, 3 × 1, 푛 × 1 = 0}. From what we saw, the others generators are the 푎 × 1 with 푎 invertible modulo 푛. Then −1 (Z/푛Z, +) = G = 푔, 2푔, 3푔, … 푛푔 = 0. If ℎ ∈ Z/푛Z, ℎ ≡ 푥푔, 푥 ≡ ℎ푔 computable in polynomial time with a simple extended Euclidean algorithm. 3.2. Algorithms for Computing Discrete Logarithms First we see some generic algorithms that work for all cyclic group G of order 푛: the naive algorithm, The Baby Step Giant Step method , the ρ method of Pollard, and the Pohlig–Hellman algorithm that reduce computing discrete logarithm in a group of order 푛 to computing logarithm in subgroups of order 푝 where 푝 is prime and 푝 divides 푛. By a theorem of Shoup (97), an algorithm that solve the discrete logarithm in G must do at least 풪 (√푛) operations in G. The Naive Algorithm ℎ = 푔푥, 푥? Compute 푔, 푔2, 푔3,… . Complexity, 풪 (푛) multiplications in G With memory: We pre-compute all the (푔푖, 푖) and store them in a list, sorted we respect to the 푔푖 (by using a binary representation of the elements of G for instance). Complexity: 풪 (푛) multiplications in G, 풪 (푛) elements of G in memory, sorting algorithm complexity : 풪 (푛 log(푛)) Then to compute 푥 s.t. ℎ = 푔푥, we look for ℎ in the list: complexity: 풪 (log(푛)) – 3 – Chapitre I : The Discrete Logarithm Problem Baby Step/Giant Step Usually credited to Shanks 1971. Time-memory trade-off. ℎ = 푔푥 푥? 푥 푚 푗 푖 −1 푖 푚 푗 Let 푚 = ⌈√푛⌉ and 푥 = 푖 + 푚푗 with 0 ⩽ 푖, 푗 < 푚. We have ℎ = 푔 = (푔 ) 푔 . So ℎ(푔 ) = (푔 ) . 푚 푗 Pre-computations: a list of ((푔 ) , 푗) with 푗 < 푚 sorted with respect to the first coordinate: 풪 (√푛) memory, and 풪 (√푛 log(푛)) for the sorting algorithm. −1 −1 2 Then we compute ℎ, ℎ푔 , ℎ(푔 ) , ... and look for this element in the list. Worst case: 풪 (√푛) multipli- cations and complexity for 풪 (√푛 log(푛)) the searches. Pollard ρ Pollard 1978 Same time complexity but quasi no memory. Probabilistic Algorithm: Sometimes no result is found. ′ ′ ′ ′ We look for integers modulo 푛 s.t. 푔푖ℎ푗 = 푔푖 ℎ푗 . Then 푔푖−푖 = ℎ푗 −푗. So 푖 − 푖′ ≡ 푥(푗′ − 푗) and if (푗′ − 푗) is invertible modulo 푛, we find 푥. To find these integers, one can store all the tuples (푔푖ℎ푗, 푖, 푗) sorted with respect to the first coordinates, with random 푖 and 푗. If one finds two times the same element of G (a collision), the discrete logarithm can be extracted as above. By the birthday paradox with a good probability,there will be a collision for around √푛 random choices. Wedraw uniformly 푘 elements in a set of 푛 elements. Let 푝(푘) the probability that there is a collision. The probability that all the elements are different is 1 2 푘 − 1 푘−1 푖 1 − 푝(푘) = ￶1 −  ￶1 −  … ￶1 −  = ﾟ ￶1 −  푛 푛 푛 푖=1 푛 −푥 ∏푘−1 −푖/푛 −푘(푘−1)/2푛 −(푘−1)2/2푛 As 1 − 푥 ⩽ 푒 for all 푥 ∈ R, 1 − 푝(푘) ⩽ 푖=1 푒 = 푒 ⩽ 푒 . As a result, there is a collision −(푘−1)2/2푛 with probability at least 푓(푘) ∶= 1 − 푒 . For 푘0 = 1 + √−2푛 log(1 − A), one has A = 푓(푘0). So for 푘 ⩾ 푘0, one has 푝(푘) ⩾ 푓(푘) ⩾ 푓(푘0) = A. As a result, for the probability to be at least 1/2, one must draw 1 + √2푛 log 2 ≈ 1.177√푛 elements (for a probability greater than 0.99, this gives 3.03√푛 elements). For the classical birthday problem, 푛 = 365, and we have a probability 1/2 of having two people with the same birthday for a set of 1 + √2 × 365 log 2 ≈ 23.49 people (In fact 23 is sufficient). More generally, one can show that the expected number of elements to be drawn until a collision is found is less than √π푛/2 + 2 ≈ 1.253√푛.