Elliptic Loops

Taufer, Daniele

11 June 2020

Given an elliptic curve E over Fp and an integer e ≥ 1, we define a new object, called “elliptic loop”, as the set of plane projective points over Z/p^e Z lying over E, endowed with an operation inherited by the curve addition. This object is proved to be a power-associative abelian algebraic loop. Its substructures are investigated by means of other algebraic cubics defined over the same ring, which we named “shadow curve” and “layers”. When E has trace 1, a distinctive behavior is detected and employed for producing an isomorphism attack to the discrete logarithm on this family of curves. Stronger properties are derived for small values of e, which lead to an explicit description of the infinity part and to characterizing the geometry of rational |E|-torsion points. / Data una curva ellittica E su Fp ed un intero e ≥ 1, definiamo un nuovo oggetto, chiamato "loop ellittico", come l'insieme dei punti nel piano proiettivo su Z/p^e Z che stanno sopra ad E, dotato di una operazione ereditata dalla somma di punti sulla curva. Questo oggetto si prova essere un loop algebrico con associatività delle potenze. Le sue sotto-strutture sono investigate utilizzando altre cubiche definite sullo stesso anello, che abbiamo chiamato "curva ombra" e "strati". Quando E ha traccia 1, un comportamento speciale viene notato e sfruttato per produrre un attacco di isomorfismo al problema del logaritmo discreto su questa famiglia di curve. Migliori proprietà vengono trovate per bassi valori di e, che portano ad una descrizione esplicita della parte all'infinito e alla caratterizzazione della geometria dei punti razionali di |E|-torsione.

Settore MAT/02 - Algebra

Points of High Order on Elliptic Curves : ECDSA

Kouchaki Barzi, Behnaz

January 2016

This master thesis is about Elliptic Curve Digital Signature Algorithm or ECDSA and two of the known attacks on this security system. The purpose of this thesis is to find points that are likely to be points of high order on an elliptic curve. If we have a point P of high order and if Q = mP, then we have a large set of possible values of m. Therefore it is hard to solve the Elliptic Curve Discrete Logarithm Problem or ECDLP. We have investigated on the time of finding the solution of ECDLP for a certain amount of elliptic curves based on the order of the point which is used to create the digital signatures by those elliptic curves. Method: Algebraic Structure of elliptic curves over finite fields and Discrete logarithms. This has been done by two types of attacks namely Baby Step, Giant Step and Pollard’s Rho and all of the programming parts has been done by means of Mathematica. Conclusion: We have come into a conclusion of having the probable good points which are the points of high order on elliptic curves through the mentioned attacks in which solving the ECDLP is harder if these points have been used in generating the digital signature. These probable good points can be estimated by means of a function we have come up with. The input of this function is the order of the point and the output is the time of finding the answer of ECDLP.

Digital signature (DS.)

Baby Step

Giant Step (Bs.Gs.)

Pollard’s Rho

Elliptic curve cryptosystem over optimal extension fields for computationally constrained devices

Abu-Mahfouz, Adnan Mohammed

08 June 2005

Data security will play a central role in the design of future IT systems. The PC has been a major driver of the digital economy. Recently, there has been a shift towards IT applications realized as embedded systems, because they have proved to be good solutions for many applications, especially those which require data processing in real time. Examples include security for wireless phones, wireless computing, pay-TV, and copy protection schemes for audio/video consumer products and digital cinemas. Most of these embedded applications will be wireless, which makes the communication channel vulnerable. The implementation of cryptographic systems presents several requirements and challenges. For example, the performance of algorithms is often crucial, and guaranteeing security is a formidable challenge. One needs encryption algorithms to run at the transmission rates of the communication links at speeds that are achieved through custom hardware devices. Public-key cryptosystems such as RSA, DSA and DSS have traditionally been used to accomplish secure communication via insecure channels. Elliptic curves are the basis for a relatively new class of public-key schemes. It is predicted that elliptic curve cryptosystems (ECCs) will replace many existing schemes in the near future. The main reason for the attractiveness of ECC is the fact that significantly smaller parameters can be used in ECC than in other competitive system, but with equivalent levels of security. The benefits of having smaller key size include faster computations, and reduction in processing power, storage space and bandwidth. This makes ECC ideal for constrained environments where resources such as power, processing time and memory are limited. The implementation of ECC requires several choices, such as the type of the underlying finite field, algorithms for implementing the finite field arithmetic, the type of the elliptic curve, algorithms for implementing the elliptic curve group operation, and elliptic curve protocols. Many of these selections may have a major impact on overall performance. In this dissertation a finite field from a special class called the Optimal Extension Field (OEF) is chosen as the underlying finite field of implementing ECC. OEFs utilize the fast integer arithmetic available on modern microcontrollers to produce very efficient results without resorting to multiprecision operations or arithmetic using polynomials of large degree. This dissertation discusses the theoretical and implementation issues associated with the development of this finite field in a low end embedded system. It also presents various improvement techniques for OEF arithmetic. The main objectives of this dissertation are to --Implement the functions required to perform the finite field arithmetic operations. -- Implement the functions required to generate an elliptic curve and to embed data on that elliptic curve. -- Implement the functions required to perform the elliptic curve group operation. All of these functions constitute a library that could be used to implement any elliptic curve cryptosystem. In this dissertation this library is implemented in an 8-bit AVR Atmel microcontroller. / Dissertation (MEng (Computer Engineering))--University of Pretoria, 2006. / Electrical, Electronic and Computer Engineering / unrestricted

Ecc

Elliptic curve

Elgamal

Diffie-hellman

Discrete logarithm problem

Ecdh

Frobenius

Ecdlp

Itoh tsujii inversion

Karatsuba algorithm

Extended euclidean algorithm

Schoolbook method

Addition chain algorithm

Non-adjacent form

Quadratic residue

Legendre symbol

Embedded system

Oef

Finite field

Optimal extension field

Public-key

Cryptography

UCTD

Elliptic Curve Cryptography for Lightweight Applications.

Hitchcock, Yvonne Roslyn

January 2003

Elliptic curves were first proposed as a basis for public key cryptography in the mid 1980's. They provide public key cryptosystems based on the difficulty of the elliptic curve discrete logarithm problem (ECDLP) , which is so called because of its similarity to the discrete logarithm problem (DLP) over the integers modulo a large prime. One benefit of elliptic curve cryptosystems (ECCs) is that they can use a much shorter key length than other public key cryptosystems to provide an equivalent level of security. For example, 160 bit ECCs are believed to provide about the same level of security as 1024 bit RSA. Also, the level of security provided by an ECC increases faster with key size than for integer based discrete logarithm (dl) or RSA cryptosystems. ECCs can also provide a faster implementation than RSA or dl systems, and use less bandwidth and power. These issues can be crucial in lightweight applications such as smart cards. In the last few years, ECCs have been included or proposed for inclusion in internationally recognized standards. Thus elliptic curve cryptography is set to become an integral part of lightweight applications in the immediate future. This thesis presents an analysis of several important issues for ECCs on lightweight devices. It begins with an introduction to elliptic curves and the algorithms required to implement an ECC. It then gives an analysis of the speed, code size and memory usage of various possible implementation options. Enough details are presented to enable an implementer to choose for implementation those algorithms which give the greatest speed whilst conforming to the code size and ram restrictions of a particular lightweight device. Recommendations are made for new functions to be included on coprocessors for lightweight devices to support ECC implementations Another issue of concern for implementers is the side-channel attacks that have recently been proposed. They obtain information about the cryptosystem by measuring side-channel information such as power consumption and processing time and the information is then used to break implementations that have not incorporated appropriate defences. A new method of defence to protect an implementation from the simple power analysis (spa) method of attack is presented in this thesis. It requires 44% fewer additions and 11% more doublings than the commonly recommended defence of performing a point addition in every loop of the binary scalar multiplication algorithm. The algorithm forms a contribution to the current range of possible spa defences which has a good speed but low memory usage. Another topic of paramount importance to ECCs for lightweight applications is whether the security of fixed curves is equivalent to that of random curves. Because of the inability of lightweight devices to generate secure random curves, fixed curves are used in such devices. These curves provide the additional advantage of requiring less bandwidth, code size and processing time. However, it is intuitively obvious that a large precomputation to aid in the breaking of the elliptic curve discrete logarithm problem (ECDLP) can be made for a fixed curve which would be unavailable for a random curve. Therefore, it would appear that fixed curves are less secure than random curves, but quantifying the loss of security is much more difficult. The thesis performs an examination of fixed curve security taking this observation into account, and includes a definition of equivalent security and an analysis of a variation of Pollard's rho method where computations from solutions of previous ECDLPs can be used to solve subsequent ECDLPs on the same curve. A lower bound on the expected time to solve such ECDLPs using this method is presented, as well as an approximation of the expected time remaining to solve an ECDLP when a given size of precomputation is available. It is concluded that adding a total of 11 bits to the size of a fixed curve provides an equivalent level of security compared to random curves. The final part of the thesis deals with proofs of security of key exchange protocols in the Canetti-Krawczyk proof model. This model has been used since it offers the advantage of a modular proof with reusable components. Firstly a password-based authentication mechanism and its security proof are discussed, followed by an analysis of the use of the authentication mechanism in key exchange protocols. The Canetti-Krawczyk model is then used to examine secure tripartite (three party) key exchange protocols. Tripartite key exchange protocols are particularly suited to ECCs because of the availability of bilinear mappings on elliptic curves, which allow more efficient tripartite key exchange protocols.

Elliptic curve (EC)

elliptic curve cryptosystem (ECC)

discrete logarithm problem (DLP)

speed

code size

memory usage

ram usage

fixed curve

random curve

Pollard's rho method

Canetti-Krawczyk proof model

key exchange protocols

security proof

tripartite key exchange

pairings

password-based authentication

point addition

projective coordinates

Jacobian coordinates

Chudnovsky Jacobian coordinates

modified Jacobian coordinates

binary method

simultaneous multiple exponentiation

two-in-one scalar multiplication

coprocessor

smart card

lightweight device

simple power analysis (spa)

side channel attack

equivalent security.