Point Compression for Koblitz Elliptic Curves

Elliptic curves over finite fields have applications in public key cryptography. A Koblitz curve is an elliptic curve $E$ over \F_2; the group E( \Ftn ) has convenient features for efficient implementation of elliptic curve cryptography. Wiener and Zuccherato and Gallant, Lambert and Vanstone showed that one can accelerate the Pollard rho algorithm for the discrete logarithm problem on Koblitz curves. This implies that when using Koblitz curves, one has a lower security per bit than when using general elliptic curves defined over the same field. Hence for a fixed security level, systems using Koblitz curves require slightly more bandwidth. We present a method to reduce this bandwidth when a normal basis representation for \Ftn is used. Our method is appropriate for applications such as Diffie-Hellman key exchange or Elgamal encryption. We show that, with a low probability of failure, our method gives the expected bandwidth for a given security level

An Efficient and Secure Key Management Scheme for Hierarchical Access Control Based on ECC

In a key management scheme for hierarchy based access control, each security class having higher clearance can derive the cryptographic secret keys of its other security classes having lower clearances. In 2006 Jeng-Wang proposed an efficient scheme on access control in user hierarchy based on elliptic curve cryptosystem. Their scheme provides solution of key management efficiently for dynamic access problems. However, in this paper, we propose an attack on Jeng-Wang scheme to show that Jeng-Wang scheme is insecure against our proposed attack. We show that in our proposed attack, an attacker (adversary) who is not a user in any security class in a user hierarchy attempts to derive the secret key of a security class

Summation polynomials and the discrete logarithm problem on elliptic curves

The aim of the paper is the construction of the index calculus algorithm for the discrete logarithm problem on elliptic curves. The construction presented here is based on the problem of finding bounded solutions to some explicit modular multivariate polynomial equations. These equations arise from the elliptic curve summation polynomials introduced here and may be computed easily. Roughly speaking, we show that given the algorithm for solving such equations, which works in polynomial or low exponential time in the size of the input, one finds discrete logarithms faster than by means of Pollard\u27s methods

성긴 지수 이산대수 문제

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2012. 8. 천정희.이산대수 문제는 현대 공개키 암호에 있어 가장 중요한 수학적 기반 문제의 하나이다. 수많은 암호 시스템과 프로토콜들이 이산대수가 어렵다는 가정하게 설계 및 제안되고 있으며 이러한 연구는 활발하게 진행되고 있다. 이산대수 기반 암호 시스템의 효율성은 지수승 연산 속도에 직결된다. Hoffstein과 Silverman은 이산대수 문제가 정의된 군에서 빠른 지수승과 안전성을 보장하기 위해 해밍 웨이트가 작은 지수들의 곱(성긴 지수 곱)을 사용할 것을 제안하였다. 특히 GF(2^n)에서의 제곱연산 그리고 Koblitz 타운 곡선에서의 두 배 연산은 각각의 군 연산보다 훨씬 빠르기 때문에 성긴 지수 곱을 사용하면 연산을 매우 가속화시킬 수 있다. 본 학위 논문에서는 성긴 지수 곱 이산대수 문제의 안전성을 분석한다. 현재의 성긴 지수 곱 이산대수 문제의 안전성 분석은 성긴 지수 이산대수 문제의 분석 기법에 의존하고 있는데 이로부터는 본래 문제의 정확한 안전성을 측정할 수 없다. 본 논문에서는 성긴 지수 곱 이산대수 문제의 안전성을 분석하기 위해 매개화된 분할 시스템을 이용하여성긴 지수 곱 이산대수 문제를 공격하는 효율적인 알고리즘을 제안한다. 제안 알고리즘은 현재까지 알려진 알고리즘 중 가장 빠른 시간 안에 성긴 지수 곱 이산대수 문제의 해를 찾는다. 실증적인 예로써 Coron, Lefranc 그리고 Poupard가 CHES 2005에서 제안한 GPS 인증 스킴의 비밀키와 Hoffstein과 Silverman이 제안한 (2,2,11)-지수에 대해 제안 알고리즘을 적용하여 각각에 대해 2^{61.82} 그리고 2^{53.02} 번의 군 연산을 사용하여 비밀키를 복구할 수 있음을 보인다.The discrete logarithm problem is one of the most important underlying mathematical problems in contemporary public key cryptography. Under the assumption that the problem is infeasible, a great number of cryptosystems have been constructed and researches in this area are still underway actively. The efficiency of cryptosystems based on the discrete logarithm problem primarily relies on the speed at which exponentiation can be performed. On this line of research to address the issue Hoffstein and Silverman suggested the use of low Hamming weight product exponents to accelerate group exponentiation while maintaining the security level. Taking low Hamming weight product exponents, computation costs on GF(2^n) or Koblitz elliptic curves can be reduced significantly, where the cost of squaring and elliptic curve doubling is much lower than that of multiplication and elliptic curve addition, respectively. In the thesis we focus our concern on the security analysis of the discrete logarithm problem of low Hamming weight product exponents. The current estimate on the security of the problem mainly depends on the approaches for the case of low Hamming weight exponents, which does not fit into the product form well. We come up with parameterized splitting systems to resolve this problem. We show that it yields an efficient algorithm for the discrete logarithm problem of low Hamming weight exponents with lower complexity than that of any previously known algorithms. To demonstrate its application, we attack the GPS identification scheme modified by Coron, Lefranc, and Poupard in CHES 2005 and Hoffstein and Silverman's (2,2,11)-exponents. The time complexity of our key recovery attack against the GPS scheme is 2^{61.82}, which was expected to be 2^{78}. Hoffstein and Silverman's (2,2,11)-exponent can be recovered with a time complexity of 2^{53.02}, which is the lowest among the known attacks.1. Introduction 2. The Low Hamming Weight Discrete Logarithm Problem 3. The Low Hamming Weight Product DLP 4. Parameterized Splitting Systems 5. A New Algorithm from Parameterized Splitting Systems 6. Cryptanalysis 7. Conclusion and Open ProblemsDocto

Applications of Frobenius Expansions in Elliptic Curve Cryptography

Recent developments in elliptic curve cryptography have heightened the need for fast scalar point multiplication, specially when working on environments with limited computational power. It is well known that point multiplication on elliptic curves over F_{q^m} (with m > 1) can be accelerated using Frobenius expansions. In practice, the computation is much faster than the standard double-and-add scalar multiplication. An efficient implementation of elliptic curve cryptosystems can use a Koblitz curve and convert integers into Frobenius expansions to perform fast scalar multiplications. However, this conversion of integers to Frobenius expansions would lead to extra code on the device (i.e., silicon area) and extra computational cost. According to N. Koblitz, H. Lenstra suggested that rather than choosing a random integer n and then converting to a Frobenius expansion n(\tau), in certain cryptosystems it might be more efficient to generate a random Frobenius expansion directly. The temptation then is to choose a relatively short and/or sparse value for n(\tau). If this is done then we must re-evaluate the difficulty of the discrete logarithm problem (and other computational problems). A further issue is that the existing security proofs may not directly apply. For some systems it may be necessary to develop bespoke security proofs for the Frobenius expansion case. In this thesis, we analyse the Frobenius expansion DLP and present algorithms to solve it. Furthermore, we propose a variant of a well known identification scheme designed for public key cryptography on very restricted devices. More precisely, we construct the Girault-Poupard-Stern (GPS) identification scheme for Koblitz elliptic curves using Frobenius expansions. The idea is to use Frobenius expansions throughout the protocol, so there is no need to convert between integers and Frobenius expansions. We also give a security analysis of the proposed scheme

Study of the generalization of unconditionally secure key predistribution systems

制度:新 ; 報告番号:乙2287号 ; 学位の種類:博士(工学) ; 授与年月日:2010/7/29 ; 早大学位記番号:新544

A Review of Techniques for Implementing Elliptic Curve Point Multiplication on Hardware

N/

Diseño de criptoprocesadores de curva elíptica sobre gf(2^163) usando bases normales gaussianas

This paper presents the efficient hardware implementation of cryptoprocessors that carry out the scalar multiplication kP over finite field GF(2163) using two digit-level multipliers. The finite field arithmetic operations were implemented using Gaussian normal basis (GNB) representation, and the scalar multiplication kP was implemented using Lopez-Dahab algorithm, 2-NAF halve-and-add algorithm and w-tNAF method for Koblitz curves. The processors were designed using VHDL description, synthesized on the Stratix-IV FPGA using Quartus II 12.0 and verified using SignalTAP II and Matlab. The simulation results show that the cryptoprocessors present a very good performance to carry out the scalar multiplication kP. In this case, the computation times of the multiplication kP using Lopez-Dahab, 2-NAF halve-and-add and 16-tNAF for Koblitz curves were 13.37 µs, 16.90 µs and 5.05 µs, respectively.En este trabajo se presenta la implementación eficiente en hardware de criptoprocesadores que permiten llevar a cabo la multiplicación escalar kP sobre el campo finito GF(2163) usando dos multiplicadores a nivel de digito. Las operaciones aritméticas de campo finito fueron implementadas usando la representación de bases normales Gaussianas (GNB), y la multiplicación escalar kP fue implementada usando el algoritmo de López-Dahab, el algoritmo de bisección de punto 2-NAF y el método w-tNAF para curvas de Koblitz. Los criptoprocesadores fueron diseñados usando descripción VHDL, sintetizados en el FPGA Stratix-IV usando Quartus II 12.0 y verificados usando SignalTAP II y Matlab. Los resultados de simulación muestran que los criptoprocesadores presentan un muy buen desempeño para llevar a cabo la multiplicación escalar kP. En este caso, los tiempos de computo de la multiplicación kP usando Lopez-Dahab, bisección de punto 2-NAF y 16-tNAF para curvas de Koblitz fueron 13.37 µs, 16.90 µs and 5.05 µs, respectivamente

A SAT-based approach for index calculus on binary elliptic curves

Logical cryptanalysis, first introduced by Massacci in 2000, is a viable alternative to common algebraic cryptanalysis techniques over boolean fields. With XOR operations being at the core of many cryptographic problems, recent research in this area has focused on handling XOR clauses efficiently. In this paper, we investigate solving the point decomposition step of the index calculus method for prime degree extension fields $\mathbb{F}_{2^n}$, using SAT solving methods. We experimented with different SAT solvers and decided on using WDSat, a solver dedicated to this specific problem. We extend this solver by adding a novel breaking symmetry technique and optimizing the time complexity of the point decomposition step by a factor of $m!$ for the $(m+1)$\textsuperscript{th} Semaev\u27s summation polynomial. While asymptotically solving the point decomposition problem with this method has exponential worst time complexity in the dimension $l$ of the vector space defining the factor base, experimental running times show that the the presented SAT solving technique is significantly faster than current algebraic methods based on Gröbner basis computation. For the values $l$ and $n$ considered in the experiments, the WDSat solver coupled with our breaking symmetry technique is up to 300 times faster then MAGMA\u27s F4 implementation, and this factor grows with $l$ and $n$