Talk given at Devoxx UK 2014
Caveat - without the video these slides can be taken out of context, see Parleys for the full video.
RSA is the oldest kid in the public-key cryptography playground, and its position of toughest and fastest is under sharp competition from ECC (Elliptic Curve Cryptography). We look at the mathematical difference between the two cryptosystems, showing why ECC is faster and “harder” than RSA, but also very energy efficient hence its unique advantage in the mobile space. We show how to use ECC in your Java and Android applications. Before finally summarising the “state of the union” for RSA and ECC in the light of the Snowden leaks, and the likely near-future for public-key cryptography.
5. Objectives
the basics: terminology, concepts, etc
symmetric vs. asymmetric cryptography
RSA overview
theory of elliptic curves
elliptic curve cryptography (ECC)
RSA vs. ECC (performance, security, etc)
using ECC
ECC “in the wild”
Friday, 11 July 2014
6. Please Note
Aim: to provide enough basic information to
“springboard” your own forays into cryptography
No:
History lessons (but maybe a tangent or two)
Proofs - rigourous or otherwise
Key exchange protocols
I work for Cisco but all the views in this
presentation are mine and do not reflect the
views of Cisco.
Friday, 11 July 2014
8. All Hail Claude Shannon
Godfather of:
- Communication theory
- Information Theory
- Digital Computing & Digital Circuit Design
- Modern cryptography
Proved that the cryptographic one-time pad
is unbreakable
"the enemy knows the system"
Friday, 11 July 2014
9. Terminology
A plaintext document is encrypted with a
cipher to produce ciphertext
Decryption is the reverse of encryption
A cipher may utilise 1 or more keys
Friday, 11 July 2014
12. Cryptanalysis can be classified by:
Computational resource requirements
Friday, 11 July 2014
13. Cryptanalysis can be classified by:
Computational resource requirements
Degree of information exposure
Friday, 11 July 2014
14. Cryptanalysis can be classified by:
Computational resource requirements
Degree of information exposure
Degree of cryptosystem penetration
Friday, 11 July 2014
15. Cryptanalysis can be classified by:
Computational resource requirements
Degree of information exposure
Degree of cryptosystem penetration
Do not underestimate: stupidity, spies,
traitors and other forms of social
engineering
Friday, 11 July 2014
16. Diffusion is a measure of the difference
between the statistical structure of the
plaintext and the ciphertext
Friday, 11 July 2014
17. Diffusion is a measure of the difference
between the statistical structure of the
plaintext and the ciphertext
Confusion is a measure of the complexity
of the relationship between the
ciphertext and the key(s)
Friday, 11 July 2014
18. Diffusion is a measure of the difference
between the statistical structure of the
plaintext and the ciphertext
Confusion is a measure of the complexity
of the relationship between the
ciphertext and the key(s)
Friday, 11 July 2014
19. Kerckhoff’s Principle
“A cryptosystem should be secure even if
everything about the system, except the
key, is public knowledge”
Friday, 11 July 2014
23. Cryptographic Standards
Created by “trusted” authorities, e.g. NIST
(US), ENISA (EU), CESG/HMG (UK)
Defines specific implementations of algorithms
& protocols, including:
key sizes
random number & seed generators
algorithm parameters
Allows in-depth cryptanalysis
Ensures support in hardware and software
applications
Friday, 11 July 2014
42. Turing Machines
S - set of symbols
Q - set of states
q0 - the initial state, q0 Q
F - the set of final states, F ⊆ Q
δ - the transition function
Friday, 11 July 2014
43. Decisions, Decisions, Decisions
Given some formal system, a decision
problem is a statement that is either true
or false. E.g.
Given any 2 integers x and y, is
(x/y) mod 2 = 0?
Is the real part of any non-trivial zero of
the Riemann zeta function 1/2?
Does a given algorithm return a value
within a finite amount of time?
Friday, 11 July 2014
44. P & NP
Decision problems in P can be solved in
polynomial time on a deterministic Turing
machine.
sorting lists, shortest path problem
A decision problem is in NP if a solution
can be verified in polynomial time on a
non-deterministic Turing machine.
multi-body collision detection
Friday, 11 July 2014
45. NP-Hard & NP-Complete
Not all problems in NP are equal!
NP-complete problems are “the hardest
problems in NP”
A decision problem D is NP-complete if:
1. D is in NP
2. Every problem in NP is reducible to D
in polynomial time
If only (2) is true then D is NP-hard
Friday, 11 July 2014
48. Is a fundamental part of HTTPS/SSL
Based on the Integer Factorisation
Problem
Believed to be in NP and co-NP but not
NP-complete
A factor is a number that divides evenly
into another number, e.g.
20 has factors { 1, 2, 5, 10 }
Friday, 11 July 2014
49. Primes, Co-Primes
A prime number is a natural number
greater than 1 with no positive divisors
except itself and 1
Two numbers p, q are co-prime iff the
greatest common divisor is 1, i.e
gcd(p,q) = 1
Examples:
gcd(15, 10) = 5
gcd(16, 10) = 2
gcd(17, 10) = 1
Friday, 11 July 2014
50. Integer Factorisation Problem
The fundamental theorem of arithmetic,
proves every positive integer has a unique
prime decomposition:
n = Σ pq
Where n, p, q are integers and p are
prime numbers
Examples:
15 = 5 * 3 20 = 5 * 22
Friday, 11 July 2014
51. Totatives & Euler’s Totients
A number t is a totative of n iff
0 < t < n and gcd(t,n) = 1
Euler’s totient function of a number n is
given by φ(n) = |T(n)|, where T(n) is the
set of all totatives of n
Example: if n = 9, then
T(n) = {1, 2, 4, 5, 7, 8}
φ(9) = |T(9)| = 6
Friday, 11 July 2014
52. RSA Key Generation
Choose two prime number p and q
Compute n = pq
Compute φ(n) = φ(p) φ(q) = (p - 1)/(q - 1)
Chose an integer e s.t.
1 < e < φ(n) & gcd(e, φ(n)) = 1
Compute d = 1 / e(mod F(n))
Public Key = (e, n)
Private Key = (e, d)
Friday, 11 July 2014
53. Encryption
Given a message M convert to an integer
m s.t. 0 < m < n using a padding protocol,
the ciphertext c is generated by:
c = me (mod n)
Decryption
Given a ciphertext c compute
m = cd (mod n)
and recover M by reversing the padding
protocol on m
Friday, 11 July 2014
54. Caution! !
Picking the prime numbers is hard
If p or q are too small or too close to
each other it greatly decreases the
security
If p-1 or q-1 only has small prime factors
n can be factored in polynomial time
Friday, 11 July 2014
55. Theory-based Attacks
Trial division
Euler’s algorithm
Fermat’s algorithm
Wheel factorisation
Quadratic sieve
General number field sieve
Pollard’s ρ algorithm
Shor’s algorithm
Friday, 11 July 2014
58. Abstract Algebra
An algebraic structure is composed of one
or more sets with one or more n-ary
functions defined on them.
Underpins a great deal of modern
sciences: codes, symmetries, dynamical
systems
A beautiful example of mathematics at
work
Friday, 11 July 2014
59. NOTA BENE! !
Mathematics is a precise language, the
notation less so
Different branches of maths use the same
symbol to mean different things
There are some “rules” which if you don’t know
can be confusing
In abstract algebra we use + and • which are
not always numeric addition and multiplication
Mathematicians are lazy: a • b = ab
Friday, 11 July 2014
60. A group G is a pair G(S, •) where S is a set
and • a binary operator that satisfies:
Closed: ∀ a, b S then a • b S
Associative: ∀ a, b, c S then
(a • b) • c = a • (b • c)
Identity element: e S s.t ∀ a S
e • a = a • e = a
Inverse element: ∀ a S, b S s.t
a • b = b • a = e
Groups
E
E
Friday, 11 July 2014
61. A group G(S, •) is an abelian group (or
commutative group) if it also satisfies the
commutativity condition:
∀ a, b S then a • b = b • a
Abelian Groups
Friday, 11 July 2014
62. A ring R is a tuple R(S,+,•) if it satisfies
the 8 ring axioms:
1-4 (S,+) is an abelian group
5-6 (S,•) is a monoid
7-8 distributivity
If the • operator is commutative then R is
a commutative ring
Rings
Friday, 11 July 2014
63. A field F is a tuple F(S,+,•) where F(S,+)
and F(S,•) are abelian groups, and the
distributivity property is satisfied, i.e.
∀ a, b, c S then:
a • (b + c) = (a • b) + (a • c)
(a + b) • c = (a • c) + (b • c)
Every field is a ring but not every ring a
field
Fields
Friday, 11 July 2014
65. Foreword
Elliptic curves have (almost) nothing to do
with ellipses, so put ellipses and conic
sections out of your thoughts
Friday, 11 July 2014
66. An elliptic curve E defined over a field k
is a curve given by the equation
y2 = x3 + Ax + B
where the discriminant
∆ = 4A3 + 27B2
must be non-zero and A, B, x, y in k.
We define E(k), together with the point at
infinity Θ, as the set of all points on E
over k.
Friday, 11 July 2014
67. An elliptic curve is given by the
Weierstrass equation:
y2 + Axy + By = x3 + Cx2 + Dx + E
where
A, B, C, D, E, x, y in k
But we generally consider the cases
where A, B, C are zero => ∆ = 0
Lies Lies Lies
Friday, 11 July 2014
68. Elliptic Curves Over Prime Fields
An elliptic curve E defined over Zp is given
by the equation
y2 = x3 + Ax + B mod p
∆ = 4A3 + 27B2 mod p
where p is a prime number, and Zp is the
set of integers {0, ..., p-1} with modulo p
arithmetic
Friday, 11 July 2014
71. Adding Points on a Curve
Given two points P and Q on a elliptic curve,
how can we produce a 3rd point R = P + Q,
also on the curve?
1. If P ≠ Q, draw a line between P and Q
extending it until it intersects the curve;
If P = Q extend the tangent at P instead.
This intersection point is -(P + Q), or -R
2. Draw a line from the intersection parallel
to the y-axis until it intersects the curve
again at R = P + Q
Friday, 11 July 2014
72. P
Q
Case 0: Line between P
& Q not parallel to y-
axis
Friday, 11 July 2014
73. P
Q
-R
Case 0: Line between P
& Q not parallel to y-
axis
Friday, 11 July 2014
78. P
Q
Case 2: Q = -P, line
between P & Q parallel
to y-axis
Friday, 11 July 2014
79. P
Q
Case 2: Q = -P, line
between P & Q parallel
to y-axis
R = Θ
Friday, 11 July 2014
80. The set of all points on E over k, E(k), form
a group (E(k), +) under the point addition
operator.
Recall, a group has the properties:
P + Θ = Θ + P = P [Identity element]
P + (-P) = Θ [Inverse element]
P + (Q + R) = (P + Q) + R [Associative]
P + Q E(k) [Closed]
for all P, Q, R E(k)
Point Addition
Friday, 11 July 2014
81. Point Multiplication
Multiplication of a point by a scalar integer
is defined by
n • P = P + P + ... + P
Examples:
2P = P + P
-3P = -3(P) = (-P) + (-P) + (-P)
0P = Θ
Point multiplication is more efficient than
general point addition.
Friday, 11 July 2014
83. Elliptic curve cryptography uses elliptic
curves over finite fields
A prime curve is defined over Zp
A binary curve is defined over GF(2m)
Hardware implementations of binary curve
systems are both small & fast
Prime curves are typically used in
software implementations
Friday, 11 July 2014
84. Discrete Logarithm Problem
Problem: find k where xk = y where x, y
in some group G
Note that xk = x • x • ... • x (k times)
If G is the set of points on an elliptic
curve we define the elliptic discrete
logarithm problem (ECDLP) as:
given P, Q G find k where Q = k • P
Friday, 11 July 2014
85. ECDLP Complexity
The elliptic curve discrete logarithm
problem is in NP and co-NP and not
thought to be in NP-complete or NP-hard
As key size increases performance of
implementations decreases
Friday, 11 July 2014
86. Domain Parameters
p: The prime number which defines the field in which
the curve operates, Fp. All point operations are taken
modulo p.
a, b: The two coefficients which define the curve.
These are integers.
G: The generator or base point. A distinct point of
the curve which resembles the "start" of the curve.
n: The order of the curve generator point G.
h: The cofactor of the curve. It is the quotient of
the number of curve-points, or #E(Fp), divided by n.
Friday, 11 July 2014
87. Key Generation
Generating a keypair for ECC is trivial. The private key
is a random integer dA, such that
0 < dA < n
Then we generate the public key QA using scalar point
multiplication of the private key with the generator
point G:
QA = dA • G
Note that the public and private key are not equally
exchangeable (like in RSA, where both are integers):
the private key dA is a integer, but the public key QA is
a point on the curve.
Friday, 11 July 2014
88. Encryption
First choose a random number r so that
0 < r < n
Then, calculate the “session” point R by multiplying r with the
generator point of the curve:
R = r . G
We also generate a secret using the public key of the
recipient:
S = r . QA
Now, R is publicly transmitted with the message and from the
point S a symmetric key is derived with which the message is
encrypted, e.g using AES.
Friday, 11 July 2014
89. Decryption
Given an encrypted message and session
key R, how do you recover S to decrypt
the message?
S = dA . R
= dA . (r . G)
= r . (dA . G)
= r . QA
Friday, 11 July 2014
90. ECC security correlates to:
Domain parameter generation and
validation (poor curve choice)
Small key sizes
Even small differences in parameters
can signifcantly change the security
Caution! !
Friday, 11 July 2014
91. Theory-Based Attacks
Brute-force O(2n/2)
Baby-step giant-step O(√n)
Function field sieves O(√n)
Pollard’s ρ algorithm for logarithms O(~0.8√n)
Shor’s algorithm for logarithms O((log n)3)
Friday, 11 July 2014
92. Practical Attacks
Side channel attacks (passive)
Differential power analysis
Timing attacks
Zero-value point attacks
Fault analysis attacks (active)
Safe error analysis
Invalid point & invalid curve analysis
Friday, 11 July 2014
94. Security
ECC is not “more secure” than RSA
They both utilise similar mathematical
problems
These problems are not NP-complete or
NP-hard
As (quantum) computers become more
powerful both ECC and RSA are in trouble
Friday, 11 July 2014
95. Performance
1. Shorter keys are as strong as long keys for
RSA (in general 256-bit ECC is equivalent to
3072-bit RSA)
2. Low on CPU consumption.
3. Low on memory usage.
4. (2) & (3) => lower energy
5. Fast key generation
6. Processing ECC SSL certificates x2 faster
Friday, 11 July 2014
96. Pairing
Pairing allows for a 3-party key exchange
and cryptography system
Useful for example in financial
transactions: buyer, seller, & bank
Active area of research, especially in
identity-based encryption (IBE), primarily
using elliptic curves
Friday, 11 July 2014
98. ECC & Java
JCA
• java.security
• javax.security deprecated
JCE
• Oracle JCE + policies
Legion of the Bouncycastle
Friday, 11 July 2014
99. Standardised ECC
NIST curve P-256 [Safe]
y2 = x3- 3x + K
modulo p = 2224 - 296 + 1
where K = 18958286285566608000408668544493926415504680968679321075787234672564
SECp256k1 [Unsafe]
y2 = x3 + 7
modulo p = 2256 - 232 - 977
http://safecurves.cr.yp.to/
Friday, 11 July 2014
100. Curve25519
Is a high-speed Diffie-Hellman function
growing in popularity and as the “default
setting”
Uses the curve given by
y2 = x3 + 486662x2 + x
over the prime field given by 2255 − 19, and
the base point x = 9
Supported apps: http://ianix.com/pub/
curve25519-deployment.htmlFriday, 11 July 2014
101. The NSA & ECC
Attack method: tampered with Dual
EC_DRBG (a CSPRNG), which is part of
the NIST SP 800-90A standard, to
introduce a “backdoor”
Attack summary: the CSPRNG did not
generate random points P & Q on the
curve meaning an attacker can recover
the keys relatively easily from ciphertext
Friday, 11 July 2014
102. The Pirate Bay & ECC
Bit-torrent is a peer-2-peer file transfer
protocol co-ordinated by centralised
trackers
Recently IPOs have sought IP and domain
name blockades against index sites
August 2013 PirateBrowser launched
Coming soon: P2P darknet where
authenticated index site DNS entries are
mapped to their ECC public key
Friday, 11 July 2014
114. The Now
RSA is still secure but consider using
bigger keys soon
ECC support is nearly universal (OS,
browser, switches/routers/etc)
ECC is growing because of faster
performance not “better” security
Attacks in the wild generally focus on
implementations not the mathematical
theory
Friday, 11 July 2014
115. The Future
ECC is a stepping stone technology
Advances in mathematics, computing power
and models threaten the security of ECC
and RSA
Lattice Cryptography will be the next
generation of non-quantum cryptosystems
Research in to NP-intermediate and the
rest of the complexity landscape
Friday, 11 July 2014
117. Resouces
• Lance Fortnow “The Status of the P Versus NP
Problem” http://cacm.acm.org/magazines/
2009/9/38904-the-status-of-the-p-versus-np-
problem
• P. de Sautoy, “Music of the Primes”
• https://blogs.rsa.com/secure-crypto-lucky-
thirteen-attack/
• Bos, Joppe W., Marcelo E. Kaihara, and Peter L.
Montgomery. "Pollard rho on the PlayStation 3."
Workshop record of SHARCS. Vol. 9. 2009.
Friday, 11 July 2014
118. Resouces
• Joye, Marc, and Michael Tunstall. Fault Analysis in
Cryptography. Springer, 2012
• Matthew Green “The Many Flaws of
Dual_EC_DRBG”, http://
blog.cryptographyengineering.com/2013/09/the-
many-flaws-of-dualecdrbg.html
Friday, 11 July 2014