The Future of Curve-Based

Cryptography

Alfred Menezes
University of Waterloo, Canada
CIBSI’03, October 28, 2003
Purpose of this Talk
 Discuss the current trends of research in
public-key cryptography based on algebraic
curves

 Most mathematical details will be omitted

 I will be happy to provide more details and

answer your questions over the next three
days

2
Outline
 Groups and Cryptography
 Elliptic Curve Cryptography
 Hyperelliptic Curve Cryptography
 Bilinear Maps
 Conclusions

3
Groups and Cryptography
 (1976) Diffie-Hellman Key Agreement Scheme
 Let g be a generator of the multiplicative group of the
integers modulo a prime p

gx
A B
x gy y
K=(gy)x K=(gx)y
 The shared secret is K = gxy

4
Groups and Cryptography
 (1976) Diffie-Hellman Key Agreement Scheme
 Let g be a generator of a cyclic group G of
order n

gx
A B
x gy y
K=(gy)x K=(gx)y

 The shared secret is K

5
Desirable Groups
 Group elements have a compact
representation
 Group operation can be performed efficiently
 Discrete logarithm problem (DLP) is
intractable
– Given G, g, n, gx, find x
– The hardness of the DLP determines the size of
parameters needed to attain a desired security
level

6
Why Consider Other Groups?
 Shoup proved a lower bound of n for generic
algorithms for solving the DLP in cyclic groups
of order n
 This matches the running time (n/2) of
Pollard’s rho algorithm, the best generic
algorithm known for the DLP
 Are there suitable groups for which Pollard’s
rho algorithm is indeed the best DLP solver?
 For some groups, such as the multiplicative
group of a finite field, faster algorithms are
known that take subexponential time
7
An Abundant Source of Groups
 Abelian varieties over finite fields
 Jacobians of algebraic curves
 Jacobians of hyperelliptic curves
– High genus
– Low genus (2, 3, 4)
– Genus 1 (elliptic curves)
– Genus 0 (finite fields)
 Jacobians of other algebraic curves
– Picard curves
– Superelliptic curves

8
Elliptic Curve Cryptography (ECC)
 Proposed by Koblitz and Miller in 1985
 Let F=GF(q) denote the finite field of order q
(of characteristic not equal to 2 or 3)
 An elliptic curve E over F is defined by an
equation y2 = x3 + ax + b
 The set of F-rational points on E is the set
E(F) = { (x,y) : y2 = x3 + ax + b, xK, yK }
together with the point at infinity 
9
Group Law
 There is a natural way to add two points on an
elliptic curve. The addition turns E(F) into an
(additively written) abelian group
 The addition rule involves a few arithmetic
operations in the underlying field F
 For example, if P=(x1,y1) and Q=(x2,y2), then
P+Q=(x3,y3), where
– x3=2-x1-x2,
– y3= (x1-x3)-y1, and
 =(y2-y1)/(x2-x1)
10
Basic Properties
 E(F) is an abelian group of order roughly q

 The rank of E(F) is 1 or 2

– If #E(F) has no repeated factors, then E(F) is cyclic

 There are about 2q different elliptic curves

over F

11
Elliptic Curve Discrete Log Problem
 ECDLP: Given an elliptic curve E, a base point
GE(F), n=order(G), and dG, find d

 Some isomorphism attacks on the ECDLP are

known that are effective on special families of
elliptic curves
 Weil and Tate pairing attack (1990)
– For some elliptic curves, including supersingular
curves, E(F) can be efficiently embedded in the
multiplicative group of a small extension of F (where
subexponential-time attacks can be mounted)

12
Elliptic Curve Discrete Log Problem (2)
 Attack on prime-field anomalous curves (1997)
– If F=GF(p) and #E(F)=p, then E(F) can be efficiently
mapped to the additive group of the integers
modulo p (where the discrete logarithm problem is
trivial)
 Weil descent attack (2000- )
– For some elliptic curves, especially some elliptic
curves over F=GF(2m) where m is composite, E(F)
can be efficiently embedded in the jacobian of a
high-genus hyperelliptic curve over a subfield of F
(where subexponential-time attacks can be
mounted)
13
Elliptic Curve Discrete Log Problem (3)
 If the elliptic curve parameters are carefully
chosen, then these attacks can be easily
avoided

 Then, the best attack on the ECDLP is Pollard’s

rho algorithm which has a running time of
(q/2) (where q n)
 Pollard’s rho algorithm is well understood
– Running time analysis is exact (not asymptotic)
– Easily parallelized
– Low memory requirements
14
Key Size Comparisons (ECC vs RSA)
Security Block cipher ECC RSA
level |q|2 |n|2
80 SKIPJACK 160 1,024

112 Triple-DES 224 2,048

128 AES Small 256 3,072

192 AES Medium 384 8,192

256 AES Large 512 15,360

15
Performance
 Elliptic curve parameters can be chosen to
enhance performance
– Special fields: Use F=GF(p), where
p=2256-2224+2192+296-1
– Special curves: Elliptic curves with efficiently
computable endomorphisms to accelerate curve
operations
– Precomputation: In some protocols,
exponentiation dQ can be accelerated by
precomputing multiples of Q

16
ECC in Practice
 It appears that ECC is most suited for
– Applications that require very high levels and long-
term security (national security)
– Applications where operating environments are
constrained (processing power, memory, bandwidth,
power consumption)
 Several standards have been written to specify
ECC signature, key agreement and encryption
schemes
– ISO
– American National Standards Institute (ANSI)
– IEEE
17
Government Deployments
 US government National Institute for
Standards and Technology (NIST)
– Standards for elliptic curve signature and key
agreement schemes
– Protection of sensitive (but unclassified) data
 US National Security Agency (NSA)
– Elliptic curve key agreement schemes used to
protect national security related systems
 Canadian Communications Security
Establishment
 German military
18
Commercial Deployment
 5C Content Protection
– Hitachi, Intel, Matsushita, Sony, Toshiba
– Digital Transmission Content Protection (DTCP)
specification
 Microsoft
– Windows Media Player
 US Federal Aviation Authority (FAA)
 Canada Post
– Postal Indicia Standard

19
Hyperelliptic Curve Cryptography
 Let F=GF(q) be a finite field of order q

 A hyperelliptic curve of genus g over F is

defined by an equation y2+h(x)y = f(x), where f
is a polynomial of degree 2g+1 over F, and h is a
polynomial of degree at most g over F

 Note: An elliptic curve y2=x3+ax+b is a

hyperelliptic curve of genus g=1

20
Jacobian of a Hyperelliptic Curve
 The jacobian of a hyperelliptic curve is an
abelian group of order roughly qg
 The group elements can be compactly
represented, and the group law can be
efficiently computed
 The main advantage of hyperelliptic curves over
elliptic curves is that a smaller underlying field
is needed to obtain a group of a desired order
– Example: 2160 vs (280)2 vs (240)4 vs (232)5
– A smaller field may lead to faster and more compact
implementations

21
Hyperelliptic Curve DLP
 (1994, Adleman, Huang, DeMarrais)
Subexponential-time algorithm for high genus
 (2000, Gaudry) Algorithm that is faster than
Pollard’s rho algorithm for genus 5,6,7,8
 (2003, Theriault) Algorithms that are
(asymptotically) faster than Pollard’s rho
algorithm for genus 3,4

 Note: Improving algorithms for the HCDLP can

also impact the security of elliptic curve systems

22
Implementation
 (2002, Lange) Performance of arithmetic in
genus 2 hyperelliptic curves is very
competitive with elliptic curve arithmetic

 (2003, Christof Paar) Performance of

arithmetic in genus 3 and genus 4
hyperelliptic curves is competitive with
elliptic curve arithmetic

23
Bilinear Maps
 Recall the Weil and Tate pairing attack
– For some elliptic curves, including supersingular
curves, E(F) can be efficiently embedded in the
multiplicative group of a small extension K of F

 For such elliptic curves, the Weil and Tate

pairings can be use to define a bilinear map
e : E(F)  E(F)  K* that satisfies:
– (Bilinearity) e(P+Q,R) = e(P,R) * e(Q,R)
– (Non-degeneracy) e(P,P)  1
– (Computability) e can be efficiently computed

24
Three-party Two-round Diffie-Hellman

bcP
A B
a bP b

aP cP
abP C caP
c

 Shared secret is K = abcP

25
Three-party One-round Diffie-Hellman
 (2000) Joux
 Let e : E(F)  E(F)  K* be a bilinear map,
aP
A B
a bP b

aP cP
cP C bP
c

 Shared secret is K = e(bP,cP)a = e(P,P)abc

26
Other Applications of Bilinear Maps
 (2001) Boneh and Franklin
– Identity-based public-key encryption
– One’s email address can be one’s public key (with
the private key supplied by a trusted third-party)
 (2001) Boneh, Shacham, Lynn
– Signature scheme with short signatures
 (2002) Boneh, Gentry, Lynn, Shacham
– Aggregate signature scheme

 …...Numerous others

27
Conclusions
 Elliptic Curve Cryptography
– Subject has reached maturity and basic protocols
are being standardized and deployed

– Study of the ECDLP is ongoing

– Ongoing research on the efficient and secure

implementation of finite field and elliptic curve
arithmetic on various platforms

28
Conclusions (2)
 Hyperelliptic Curve Cryptography
– We are beginning to get a full appreciation of the
hardness of the HCDLP

– HCDLP for genus 2 (3 and 4) curves should be

further investigated

– Much work is being done on the efficient

implementation of the arithmetic for genus 2, 3 and
4 curves

– Other curves?

29
Conclusions (3)
 Cryptography using Bilinear maps
– Very active area of research

– Several outstanding problems in protocol research

have been solved

– Protocols are conceptually very simple and easy to

analyze

– Big open question: Hardness of the ECDLP for those

elliptic curves where E(F) can be efficiently embedded
in the multiplicative group of a small extension of F

30
 Thank you for your attention

Questions: [email protected]

31