Elliptic Curve Cryptography for those who are afraid of maths

Elliptic Curve Cryptography
for those who are afraid of math(s)
Martijn Grooten, Virus Bulletin
@martijn_grooten
BSides San Francisco, 29 February 2016

Disclaimer:
This talk will be useless.

Disclaimer:
I am not a cryptographer.

Disclaimer:
I am not a cryptographer.
Some things are wrong.

Elliptic curves
y2 = x3 + a·x + b

Elliptic curves
y2 = x3 + a·x + b
…and a prime number p.

Elliptic curves
y2 = x3 + a·x + b
…and a prime number p.
choice!

P
2·P
3·P
“(integer) multiplication”
6·P
4·P
5·P

So:
We can “add” points to each other.

So:
We can “multiply” points by an integer.

So:
P + Q = Q + P
3·P + P = 2·P + 2·P = 4·P
5·(7·P) = 7·(5·P)
etc.

So:
P + Q = Q + P
3·P + P = 2·P + 2·P = 4·P
5·(7·P) = 7·(5·P)
etc.
The points on a curve form an Abelian
Group (very exciting!).

From P to 100·P in eight steps

To go from a point P to 100·P:

To go from a point P to 100·P:
P → 2·P
2·P → 3·P
3·P → 6·P
6·P → 12·P
12·P → 24·P
24·P → 25·P
25·P → 50·P
50·P → 100·P

“Division” is very slow
Given points P and Q, where Q=n·P,
the best way to find the number n is to
try P, 2·P, 3·P, etc. That is very slow.

“Division” is very slow
Given points P and Q, where Q=n·P,
the best way to find the number n is to
try P, 2·P, 3·P, etc. That is very slow.
The Discrete Logarithm Problem for
elliptic curves.

ECDH (Elliptic Curve Diffie-Hellman)

The challenge: Alice and Bob want to
“agree” on a secret key over a public
channel.

The challenge: Alice and Bob want to
“agree” on a secret key over a public
channel.
For example: Alice is a web browser, Bob a
web server and they want to exchange a
key to encrypt a TLS session.

Alice and Bob have agreed (publicly!)
on an elliptic curve and a point P on
the curve.

the curve.
Alice chooses secret large random
number a.

the curve.
Alice chooses secret large random
number a.
Bob chooses secret large random
number b.

Alice computes a·P (a times the point
P) and shares the answer with Bob.

Bob computes b·P and shares this too.

Alice computes a·(b·P) (a times the
point Bob gave her).

Bob computes b·(a·P).

Bob computes b·(a·P).
Secret key: a·(b·P) = b·(a·P)

Homework: find ECDH in Wireshark

Random number generators
True randomness

Random number generators
True randomness
output

Random number generators using ECC
Discrete Logarithm Problem:
n → n·P
gives “random” points/numbers.

Random number generators using
ECC
n → n·P
n0

ECC
n → n·P
n0 n1
n0·P

ECC
n → n·P
n0 n1 n2
n0·P n1·P

ECC
n → n·P
n0 n1 n2
n0·P n1·P n2·P

ECC
n → n·P
n0 n1 n2
n0·P n1·P n2·P
n1 n2

n → n·P
n0 n1 n2
n0·P n1·P n2·P
n1 n2
n1·P

Given: elliptic curve with two points P
and Q.

ECC
n0
and Q.
32-byte seed

ECC
n0 n1
and Q.
n0·P
32-byte seed

ECC
n0 n1
and Q.
n0·P
n1·Q32-byte seed
30 bytes

ECC
n0 n1 n2
and Q.
n0·P n1·P
n1·Q32-byte seed
30 bytes

n0 n1 n2
and Q.
n0·P n1·P
n1·Q n2·Q32-byte seed
30 bytes 30 bytes

n0 n1 n2
and Q.
n0·P n1·P n2·P
30 bytes 30 bytes

n0 n1 n2
and Q.
n0·P n1·P n2·P
30 bytes 30 bytes
Note: ideas from this slide and the next are borrowed from Bernstein, Heninger and
Lange (NCSC ‘14).

Fact: P=d·Q for some (large) number d.

n0 n1 n2
n0·P n1·P n2·P
30 bytes 30 bytes

n0 n1 n2
n0·P n1·P n2·P
30 bytes 30 bytes
216
possibilities

n0 n1 n2
n0·P n1·P n2·P
30 bytes 30 bytes
216
possibilities
r1

n0 n1 n2
n0·P n1·P n2·P
30 bytes 30 bytes
216
possibilities
r1
d·r1

n0 n1 n2
n0·P n1·P n2·P
30 bytes 30 bytes
216
possibilities
r1
d·r1
n2 = n1·P = n1(d·Q)

n0 n1 n2
n0·P n1·P n2·P
30 bytes 30 bytes
216
possibilities
r1
d·r1
n2 = n1·P = n1(d·Q)
= d·(n1·Q)

n0 n1 n2
n0·P n1·P n2·P
30 bytes 30 bytes
216
possibilities
r1
d·r1
n2 = n1·P = n1(d·Q)
= d·(n1·Q)
= d·r1

So who, if anyone, knows d?
“Dual_EC_DRBG”

So who, if anyone, knows d?
“Dual_EC_DRBG”
NB: this RNG is bad for many other
reasons!

What happened at Juniper?
Juniper used Dual_EC_DRBG (in
ScreenOS) but with different P, Q.

In theory that is OK, but…

In practice… Oops.
In theory that is OK, but…

Anything else up their sleeve?

The widely used curves (P-256 etc.)
use “unexplained” constants. We can't
exclude that they weren't chosen to
create a backdoor.

The widely used curves (P-256 etc.)
use “unexplained” constants. We can't
exclude that they weren't chosen to
create a backdoor.
There probably isn't such a backdoor,
but we should aim for “nothing up my
sleeve” constants (e.g. Curve25519).

Suggested reading
"A Riddle Wrapped in an Enigma"
by Neal Koblitz and Alfred J. Menezes
http://eprint.iacr.org/2015/1018.pdf

ECC: a good idea?
Elliptic curve cryptography is a good
idea because we can do with much
smaller keys.

ECC: a good idea?
smaller keys.
256-bit ECC ≈ 3072-bit RSA.

ECC: a good idea?
smaller keys.
256-bit ECC ≈ 3072-bit RSA.
Elliptic curve crypto uses complicated
maths. That is its biggest weakness.

Thank you!
@martijn_grooten
martijn.grooten@virusbtn.com
www.virusbulletin.com
PS “How Broken Is Our Crypto Really?”
3 March, 8:00am, room 2005 @ RSA.

Elliptic Curve Cryptography for those who are afraid of maths

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Elliptic Curve Cryptography for those who are afraid of maths (20)

Recently uploaded (20)

Elliptic Curve Cryptography for those who are afraid of maths