- PDF Free Download

Size: px

Start display at page:

Download "1 2 1.1............................................ 3 1.2.................................... 7 1.3........................................... 9 1.4.."

えりかしげまつ
7 years ago
Views:

1 ( )

2 (1) (2) (3) (ECDLP) Baby-step Giant-step ρ (ECC) ECDH ECElGamal ECDSA

3 Baby-step Giant-step.................................. 35 2.4 ρ.............................................. 37 2.5............................... 43 2.6............................. 45 3 48 3.

3 1., ( ). 2

4 1.1 p, 0 p 1 F p = {0, 1,..., p 1}. p 0 p 1, p,. 1.1 F 7 = {0, 1, 2, 3, 4, 5, 6} x + y 1.1. F p x x + p p, F p x x + p. x y = x + p y, F p. 1.2 F 7 = {0, 1, 2, 3, 4, 5, 6} x y 1.2. (additive group). 3

5 1.1 y x F y x F G (i) G a, b, c (a b) c = a (b c), (ii) G a a e = e a = a G e, (iii) G a a a = a a = e G a,, G (group). +. ( x y = y x ), ( x + y = y + x ). 4

6 F p p,. 1.3 F 7 = {0, 1, 2, 3, 4, 5, 6} x y 1.3. F p p, x, x + p, x + 2p, x + 3p,.... x y = (x + p) y = (x + 2p) y =,. (, p, x, a, b ap + by = 1, by 1 (mod p) b y 1 (mod p), x y = x b. a, b Euclid.) 1.4 F 7 = {0, 1, 2, 3, 4, 5, 6} x y (y 0) 1.4., ( 0 ) p F p (prime field).,, ( 0 ), (finite field).,.. 5

7 1.3 y x F y x F field, field ( )., köper (, ).,, field. 6

8 1.2 F p. 1.5 ( ) E : y 2 = x 3 + ax + b (a, b F p, E = 4a b 2 0) (1.1) F p (elliptic curve). 1.6 E : y 2 = x 3 + 3x + 4 F 7. E, x, y F p (x, y) F p - (F p -rational point). (the point at infinity) O. (x, y). 1.7 F 7 E : y 2 = x 3 + 3x y 2 = x 3 + 3x + 4 F 7 - P 0 O P 1 (0, 2) P 9 (0, ) P 2 (1, 1) P 8 (1, ) P 3 (2, 2) P 7 (2, ) P 4 (5, 2) P 6 (5, ) P 5 7

9 E = 4a b 2 0, (1.1). E (discriminant). 2 F : y = x 2 + Bx + C F = B 2 4C, F 0 F. n G : y = A 0 x n + A 1 x n A n G = A 2(n 1) 0 (α 1 α 2 ) 2 (α 1 α n ) 2 (α 2 α 3 ) 2... (α 2 α n ) 2 (α n 1 α n ) 2. α 1,..., α n G., n = 3, E = 4a b 2. 8

n G : y = A 0 x n + A 1 x n 1 + + A n G = A 2(n 1) 0 (α 1 α 2 )

10 1.3,. ( x, y )., ( ). 1.8 ( ) R = P + Q. F p E : y 2 = x 3 + ax + b 2 P, Q ( O) 1. 2 P, Q (P = Q P ) l. 2. E l 3 R ( R = O ). 3. R x R (R = O R = O ). R R, R = R. O, F 7 E : y 2 = x 3 + 3x + 4, 1.6 y 2 = x 3 + 3x + 4 F 7 - P 0 O P 1 (0, 2) P 6 (5, 5) P 2 (1, 1) P 7 (2, 5) P 3 (2, 2) P 8 (1, 6) P 4 (5, 2) P 9 (0, 5) P 5 (6, 0) 9

9 1.6. 1.7 F 7 E : y 2 = x 3 + 3x + 4, 1.

11 (elliptic curve) (ellipse).,.,., ( ).. 10

12 ( ) R = P + Q. F p E : y 2 = x 3 + ax + b 2 P, Q P = O : R = Q. Q = O : R = P. : P = (x P, y P ), Q = (x Q, y Q ) y P = y Q : R = O ( Q = P ). y P y Q : R = (x R, y R ). x R, y R x R = λ 2 x P x Q, y R = λ(x P x R ) y P, λ 2 P, Q ( P ). y P y Q x λ = P x Q 3x 2 P + a 2y P x P x Q x P = x Q F 7 E : y 2 = x 3 + 3x + 4, P 2 + P 4, 2 P 6. 11

13 2 P = (x P, y P ), Q = (x Q, y Q ) (y P y Q )/(x P x Q ). x P = x Q 0,. P, Q E : y 2 = x 3 + ax + b y P y Q = (y P y Q )(y P + y Q ) x P x Q (x P x Q )(y P + y Q ) = yp 2 yq 2 (x P x Q )(y P + y Q ) = (x3 P + ax P + b) (x 3 Q + ax Q + b) (x P x Q )(y P + y Q ) = (x P x Q )(x 2 P + x P x Q + x 2 Q + a) (x P x Q )(y P + y Q ) = x2 P + x P x Q + x 2 Q + a y P + y Q, P = Q x P = x Q, y P = y Q. y P y Q = x2 P + x P x Q + x 2 Q + a = 3x2 P + a x P x Q y P + y Q 2y P 12

14 y 2 = x 3 + 3x + 4 F y 2 = x 3 + 3x + 4 F 7 - P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 P 9 P 0 P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 P 9 P 1 P 1 P 8 P 9 P 6 P 7 P 4 P 5 P 3 P 2 P 0 P 2 P 2 P 9 P 1 P 4 P 6 P 3 P 7 P 5 P 0 P 8 P 3 P 3 P 6 P 4 P 1 P 9 P 2 P 8 P 0 P 5 P 7 P 4 P 4 P 7 P 6 P 9 P 8 P 1 P 0 P 2 P 3 P 5 P 5 P 5 P 4 P 3 P 2 P 1 P 0 P 9 P 8 P 7 P 6 P 6 P 6 P 5 P 7 P 8 P 0 P 9 P 2 P 1 P 4 P 3 P 7 P 7 P 3 P 5 P 0 P 2 P 8 P 1 P 9 P 6 P 4 P 8 P 8 P 2 P 0 P 5 P 3 P 7 P 4 P 6 P 9 P 1 P 9 P 9 P 0 P 8 P 7 P 5 P 6 P 3 P 4 P 1 P ,

P 5 P 3 P 2 P 0 P 2 P 2 P 9 P 1 P 4 P 6 P 3 P 7 P 5 P 0 P 8 P 3 P 3 P 6 P 4 P 1 P 9 P 2 P 8 P 0 P 5 P 7 P 4 P 4 P 7 P 6 P 9 P 8 P 1 P 0 P

15 , y 2 = x 3 + ax + b ( 1.4), y 2 + a 1 xy + a 3 y = x 3 + a 2 x 2 + a 4 x + a 6 (Weierstrass ). y 2 = x 3 + ax + b. 14

16 1.4,. Mordell-Weil (Mordell-Weil group). (group order) F 7 E : y 2 = x 3 + 3x + 4 #E. F p, (Hasse-Weil ) F p E #E, #E. p p #E p p Hasse-Weil ( 1.14), F p p., F ,, F 7 E : y 2 = x 3 + 3x + 4 Hasse-Weil ( 1.14). 15

17 1.8 F 7 E : y 2 = x 3 + ax + b b a Deuring Hasse-Weil ( 1.14),., Deuring. Deuring, a, b, Hasse-Weil. F 7 ( 1.8). 16

11 5 8 12 9 6 10 7 4 6 8 12 9 6 10 7 4 Deuring Hasse-Weil (

18 1.5 F p E P ( (base point) ). d, P d d P = P + + P } {{ } d (scalar multiplication)., F 7 E : y 2 = x 3 + 3x + 4, P 1. 2 P 1 = 3 P 1 = 4 P 1 = 5 P 1 = 6 P 1 = 7 P 1 =, 2, 3,..., O. (point order)., P d P = O.,, F 7 E : y 2 = x 3 + 3x + 4, P 1 17

19 x d x d, ( mod N ) RSA., d P,,. 18

20 d P, d 1., 8 P = P + P + P + P + P + P + P + P 7., 8 P = 2 (2 (2 P )), 3.,. d 2 d = 2 n 1 + d n 2 2 n d d 0 (d i {0, 1}) = (1, d n 2,..., d 1, d 0 ) : P, d = (1, d n 2,..., d 1, d 0 ) 2 : d P 1. Q P 2. i = n 2,..., 1, 0 : 2.1 Q 2 Q 2.2 d i = 1 Q Q + P 3. Q., d P ( ) 1.5 log 2 d, d , d = 3045 = (1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1) 2, Q.,. i d i

2 d i = 1 Q Q + P 3. Q., d P ( ) 1.5 log 2 d, d 1. 1.18, d = 3045 = (1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1) 2, Q.

21 F q E Mordell-Weil E(F q ), E(F q ) 2 C 1, C 2, E(F q ) C 1 C 2 (#C 1 #C 2, #C 1 (q 1))., E(F q ) ( E(F q ) C 1 ). 20

22 1.6 (1),.,. F p,, ( ). ( 1.10),., (projective coordinates)., 3 (X : Y : Z)., 2 (X : Y : Z), (X : Y : Z ) X = cx, Y = cy, Z = cz c F p, 2. (X : Y : Z) = (2X : 2Y : 2Z) = = (X/Z : Y/Z : 1)., ( ) (x, y), (x : y : 1)., (X : Y : Z) (X/Z, Y/Z). 21

23 Jacobian, 2 X = c 2 X, Y = c 3 Y, Z = cz Jacobian (Jacobian projective coordinate).,. 22

24 Y 2 Z = X 3 + axz 2 + bz 3 (a, b F p, E = 4a b 2 0)., y 2 = x 3 +ax+b x = X/Z, y = Y/Z., X Z 0.,.,, ( ) F p E : Y 2 Z = X 3 + axz 2 + bz 3 2 P = (X P : Y P : Z P ), Q = (X Q : Y Q : Z Q ) R = P + Q = (X R : Y R : Z R ). P Q X R = va Y R = u(v 2 X P Z Q A) v 3 Y P Z Q Z R = v 3 Z P Z Q u = Y Q Z P Y P Z Q, v = X Q Z P X P Z Q, A = u 2 Z P Z Q v 3 2v 2 X P Z Q P = Q X R = 2hs Y R = w(4b h) 8YP 2 s 2 Z R = 8s 3 w = az 2 P + 3X2 P, s = Y P Z P, B = sx P Y P, h = w 2 8B P Q : P Q :, P = (x : y : 1) d P = (X : Y : Z), (X/Z, Y/Z)., 1,. 23

25 ,, Jacobian,. P Q P = Q 3, 1 4, Jacobian , d d i, P = Q, P Q 1/2, P = Q Jacobian. 24

26 1.7 (2) 1.1 d 2., d m. m = 8 ( n 3 ). 1.2 (8 ) : P, d = (d n 1, d n 2,..., d 1, d 0 ) 2 : d P 0. i = 0, 1,..., 7 : 0.1 P i i P 1. Q P 4dn 1 +2d n 2 +d n 3 2. i = n 4, n 7,..., 2 : 2.1 Q 8 Q 2.2 Q Q + P 4di +2 i 1 +d i 2 3. Q. 1.2, 0. P 0, P 1,..., P 7, , 3. (window method). 1.21, d = 3045 = (1, 0, 1, 1, 1, 1, 1, 0, 0, 1, 0, 1) 2, Q.,. i d i d i 1 d i , /3, 8 P 3, 2.1 n., 2.2 1/3, 2.2 n/ /2, 2.2 n/2, ,. 25

27 d 160, m =

28 1.8 (3) 2, P P ( (x, y), (X : Y : Z))., d 2 d = 2 n 1 + d n 2 2 n d d 0 (d i { 1, 0, 1}) = (1, d n 2,..., d 1, d 0 ) 2,. 1.3 ( 2 ) : P, d = (d n 1, d n 2,..., d 1, d 0 ) 2 : d P 1. Q P 2. i = n 2,..., 1, 0 : 2.1 Q 2 Q 2.2 d i = 1 Q Q + P 2.3 d i = 1 Q Q P 3. Q. d 2, NAF (non-adjacent form, ). d, 3d ( ) 2 (e n+1, e n,..., e 0 ) 2 d ( ) 2 (f n+1, f n,..., f 0 ) 2. d = (3d d)/2, 3d 2 d 2 2, d 2 ( d i = e i+1 f i+1 ). NAF,, 1 1, d ±1 log 2 d/ NAF, 1.33 log 2 n. 27

29 2 2, d i = 1,. 28

30 p,., y 2 = x 3 + ax + b.,.,. [ ],.,,.,,., (d P d ),.,.,,,. 29

31 2,. 30

32 2.1 (ECDLP) F p E, P d Q = d P ( )., P, Q Q = d P d (1 d l, l P ) (elliptic curve discrete logarithm problem, ECDLP) F 7 E : y 2 = x 3 + 3x + 4, P = P 1, Q = P 2, Q = d P d. 2.1,.,.,. 2.2 F p, P, Q F p Q = d P d.. 31

33 P, Q = P d, P, Q d ( ), log P Q. y = log P Q. Q = d P d ( ).,. 32

34 2.2 2 P, Q Q = d P d (1 d l, l P ) ( ), 2 P, 3 P,..., l P (brute force method) GHz, ,

35 2 160,, ( = ).,,. Mathematica Maple,,. Risa/Asir,. 34

36 2.3 Baby-step Giant-step, Baby-step Giant-step (Baby-step Giant-step method). Q = d P, P l m = l ( x x ). d = sm + t (0 s, t < m), s, t d. s, t. R = m P, Q = d P = (sm + t) P = s (m P ) + t P = s R + t P, s, t Q t P = s R (2.1). 2 Q, Q P, Q 2 P, Q 3 P,..., Q (m 1) P O, R, 2 R, 3 R,..., (m 1) R, x. 2, s, t, d. m, 2m, 2 l. 2.4 Baby-step Giant-step, l , 2 81, , Baby-step Giant-step,. 35

37 , 2., , ,

38 2.4 ρ, ρ (ρ method), Baby-step Giant-step. Q = d P, s P + t Q = s P + t Q s, t, s, t (s s, t t ). (t t ) Q = (s s) P Q = s s t t P, (s s)/(t t ) d. mod l (l P ). 2.5 F 229 E : y 2 = x 3 + x + 44, P = (5, 116), Q = (155, 166) Q = d P. P l = 239., 26 P Q = 47 P Q = (9, 18) Q = P = P = 176 P d = 176. R i = s i P + t i Q, ρ, R i = R j R i, R j.. 37

39 ( ) 2,.., (365 ) 23 1/2 2..,. ρ,. 38

40 ρ,,. R, (Random Walk ) f. R + M 0 if x(r) 0 (mod 4) R + M 1 if x(r) 1 (mod 4) f(r) = R + M 2 if x(r) 2 (mod 4) R + M 3 if x(r) 3 (mod 4) x(r) R x. M i = u i P + v i Q , R 0 = (39, 159) = 54 P Q f,. R 9 R 21. M 0 = (135, 117) = 79 P Q M 2 = (84, 62) = 87 P Q M 1 = (96, 97) = 206 P + 19 Q M 3 = (72, 134) = 219 P + 68 Q. i R i s i t i x(r i ) mod 4 i R i s i t i x(r i ) mod 4 0 (39, 159) (197, 92) (160, 9) (211, 47) (130, 182) (194, 145) (27, 17) (0, 68) (36, 97) (223, 153) (119, 180) (9, 18) (108, 89) (167, 57) (81, 168) (75, 136) (223, 153) (57, 105) (9, 18) (159, 4) (167, 57) (185, 227) (75, 136) (158, 26) (57, 105) (197, 92) (159, 4) (211, 47) (185, 227) (194, 145) (158, 26) (0, 68)

41 Random walk f,, 4.. ρ,

42 , l., R i (distinguished point). x θ., 1/θ.,. R i = R j f(r i ) = f(r j ), f(f(r i )) = f(f(r j )), f(f(f(r i ))) = f(f(f(r j ))),...,, , x 1 0 ( θ = 10), R 1 = (160, 9), R 2 = (130, 182), R 19 = (0, 68), R 31 = (0, 68). R 19 R 31, R 19 = 227 P Q = 9 P + 37 Q = R 31 d = 176. ρ, l, Baby-step Giant-step. l/θ, Baby-step Giant-step., ρ,.,,. 41

43 Certicom Certicom Waterloo Scott Vanstone 1985, (, Waterloo RIM ). Certicom,. 42

44 2.5., ρ. (Certicom Challenge.) Certicom Challenge Certicom Challenge Certicom Challenge Certicom Challenge p = ( )/( ) a = b = #E = x P = y P = l = x Q = y Q = d = Q x (π 3) 10 34,. 112, PlayStation ,

45 Certicom Challenge Certicom,,., ,000,,,. 44

46 2.6, ρ., Menezes-Okamoto-Vanstone Waterloo Alfred Menezes, Scott Vanstone NTT Tatsuaki Okamoto, F p p + 1 (Supersingular ), F 7, Supersingular., ( ) Supersingluar Semaev-Smart-Satoh-Araki Igor Semaev, Bristol Nigel Smart, Takakazu Satoh Kiyomichi Araki, F p p (Anomalous ), F 7, Anomalous. 45

47 Menezes-Okamoto-Vanstone,,,. (pairing)., 2 e : E(F q ) E(F q ) G, P, P, Q, Q, e(p + P, Q) = e(p, Q) e(p, Q), e(p, Q + Q ) = e(p, Q) e(p, Q )., (bilinear map).,,, ID. 46

48 , P, Q Q = d P d.,, Baby-step Giant-step, ρ. ρ. [ ],,.,,.,. 47

49 3,.. 48

50 3.1 (ECC),. (elliptic curve cryptosystems, ECC) ( ).,. RSA, RSA RSA, ( d) 160., F p, E : y 2 = x 3 + ax + b. P = (x P, y P ), l.. p = = a = 3 = b = #E = x P = y P = l =

51 3.1 Diffie-Hellman (ECDH) Menezes-Qu-Vanstone (ECMQV) ElGamal (ECElGamal) DSA (ECDSA), (encryption), (cryptsystem) 2.,. (cryptsystem ),. 50

52 3.2 ECDH, ( ).,, Diffie-Hellman (ECDH ). 3.2 (ECDH ) Alice Bob, F p E P. Alice Bob, 2 K A = K B. 1. Alice d A, P A = d A P Bob. 2. Bob d B, P B = d B P Alice. 3. P B Alice K A = d A P B,. 4. P A Bob K B = d B P A, F 7 E : y 2 = x 3 + 3x + 4 P = P 1, d A = 2, d B = 3. P A = K B = P B = K A = 3.4 ECDH, Alice K A Bob K B. ECDH. Carol, Alice Bob ECDH, F p, E, P. Alice Bob P A, P B. P A, P d A, P B, P d B, Carol d A, d B. ECDH. 51

53 Diffie-Hellman (ECDH ) P A = d A P, P B = d B P, P A, P B, P K = d A d B P Diffie-Hellman (ECDH ). ECDH., P A, P d A, K = d A P B, ECDH. ECDH, d A, d B K,. ECDH,, ECDH. 52

54 3.3 ECElGamal ECDH, ECElGamal. 3.5 (ECElGamal ) Alice Bob, F p E P. Alice Bob, Bob M. 1. Bob d B, P B = d B P. P B, d B. 2. Alice a r, P A = r P. b Bob P B, K = r P B. c M, C = M + K. d Bob C P A. 3. Bob a P A d B, K = d B P A. b M = C K, M. 3.6 ECElGamal, Alice K Bob K.. 53

55 , 1985 IBM Victor Miller Washington Neal Koblitz.,. 54

56 3.4 ECDSA, ECDSA. 3.7 (ECDSA ) Alice Bob, F p E P l. Alice Bob, Bob m. 1. Alice d A (1 d A l), P A = d A P. P A, d A. 2. Alice a r, U = r P = (x U, y U ). b m H(m). c u = x U mod l, v = (H(m) + u d A )/r mod l. d Bob (u, v). 3. Bob a Alice P A, d = 1/v mod l V = d H(m) P + d u P A = (x V, y V ). b u = x V mod l.,,. 3.8 ECDSA,. 55

57 DTCP,., DTCP (Digital Transmission Content Protection),. DTCP, ECDH, ECDSA. 56

58 3.5,,. 2, Baby-step Giant-step, ρ l. l,.,. 3.9 ( ) P. F p E 1. p, p. 2. a, b F p, E(a, b) : y 2 = x 3 + ax + b. (Hasse-Weil, p p #E(a, b) p p ). 3. #E(a, b) #E(a, b) = p 2. (Anomalous ). 5. E(a, b) P Supersingular ,.. 57

59 NIST,,,. NIST. 58

60 (ECC), ( ). [ ],,.,., ANSI ( ), IEEE ( ), ISO ( ), NIST ( ), CRYPTREC ( ).,. 59

61 ,.,., ( ). 2,., ( ),, , ( ),, ,. 3,. 3,,.,,, Joseph Silverman, A Friendly Introduction to Number Theory (3rd edition), Pearson Prentice Hall, 2006 [, ( 3 ),, 2007 ] Victor Shoup, A Computational Introduction to Number Theory and Algebra (1st edition) [ PDF : Jeffrey Hoffstein, Jill Pipher, Joseph Silverman, An Introduction to Mathematical Cryptography, Springer-Verlag,

62 ,,. 3,.,,, ,, BP, ( ),,, , 2 (, ).,,, ,,,, ,. 4,. Neal Koblitz, A Course in Number Theory and Cryptography (2nd edition), Springer-Verlag, 1994 [, ( 2 ),, ] Ian Blake, Gadiel Seroussi, Nigel Smart, Elliptic Curves in Cryptography, Cambridge University Press, 2000 [,,, 2001 ] Darrel Hankerson, Alfred Menezes, Scott Vanstone, Guide to Elliptic Curve Cryptography, Springer, 2002, (, ),,, , ( : ID ). ID. Luther Martin, Introduction to Identity-Based Encryption, Artech House,

63 ,,.,,. (ISEC) [2 1 ] (JANT) [3 1 ], ISEC, 300. (SCIS) [ 1 ], (IACR) CRYPTO EUROCRYPTO ASIACRYPTO PKC,. Workshop on Elliptic Curve Cryptography (ECC) 62

楕円曲線暗号と RSA 暗号の安全性比較

楕円曲線暗号と RSA 暗号の安全性比較 RSA, RSA RSA 7 NIST SP-7 Neal Koblitz Victor Miller ECDLP (Elliptic Curve Discrete Logarithm Problem) RSA Blu-ray AACS (Advanced Access Control System) DTCP (Digital Transmission Content Protection) RSA