Journal of Applied Mathematics,Islamic Azad university of Lahijan
Vol.3, NO.11, Winter2006
Application of Elliptic Curves Cryptography In Wireless Communications Security Mohammad Ghamgosar1, Farshad Akbari2, Mehregan Mahdavi3* 1
M.Sc. in Mathematics, Jahad-Deneshgahi of Guilan M.Sc. Student in Information Technology Engineering, University of Shiraz 3 Assistant Professor, Department of Computer Engineering, University of Guilan
D
2
SI
Abstract
of
This paper provides an overview of elliptic curves and their use in cryptography. The focus of the paper is on the performance advantages obtained in the wireless environments by using elliptic curve cryptography instead of traditional cryptosystems such as RSA. Specific applications to secure messaging and identity-based encryption are also discussed.
1. Introduction
ive
keywords: elliptic curves, wireless, Digital, cryptography.
Ar
ch
Forecasters predict more than a billion wireless users by 2005. As the wireless industry explodes, it faces a growing need for security. Applications in sectors of the economy such as healthcare, financial services, and government depend on the underlying security already available in the wired computing environment. Both for secure (authenticated, private) Web transactions and for secure (signed, encrypted) messaging, a full and efficient public key infrastructure is needed. Three basic choices for public key systems are available for these applications: • RSA • Diffie-Hellman (DH) or Digital Signature Algorithm (DSA) modulo a prime p • Elliptic Curve Diffie-Hellman (ECDH) or Elliptic Curve Digital Signature Algorithm (ECDSA) RSA is a system that was published in 1978 by Rivest, Shamir, and Adleman, based on the difficulty of factoring large integers. Whitfield Diffieand Martin Hellman proposed the public key system now called Diffie-Hellman Key Exchange in 1976. DH is a key agreement while DSA is a signature, and they are not directly interchangeable, although they can be combined to authenticate key agreement. Both the key exchange and digital signature algorithms are based on the difficulty of solving the
*
Corresponding author
[email protected] 2
[email protected] 3
[email protected] 1
23
www.SID.ir
M. Ghamgosar et al
Ar
ch
ive
of
SI
D
discrete logarithm problem in the multiplicative group of integers modulo a prime p. Elliptic curve was proposed in1985 as a substitute for the multiplicative groups modulo p in either the DH or DSA protocols. For the same level of security for best currently known attacks, elliptic curve-based systems can be implemented with smaller parameters, leading to significant performance advantages. Such performance improvements are particularly important in the wireless arena where computing power, memory, and battery life of devices are more constrained. In this article we will highlight the performance advantages of elliptic curve systems by comparing their performance with RSA in the context of protocols from different standards. There are various standards bodies guiding the implementation of security protocols for the industry. Some of the organizations involved in standards activities are the Internet Engineering Task Force (IETF), American Bankers Association, International Telecommunications Union, IEEE, and National Institute of Standards and Technology (NIST). The IETF has working groups drafting standards for S/MIME, IPSec, and Transparent Layer Security (TLS). Using the Cryptographic Message Syntax (CMS) format, S/MIME specifies the protocols for exchanging signed encrypted messages or email and is an alternative to PGP. IPSec is needed to establish virtual private network connections, and TLS is used to establish secure browser sessions. X.509 guides the issuing of certificates on parties’ public keys, and their management and revocation. In the last few years, working groups in each of these areas have added specifications for using elliptic curve groups through request for-comment drafts. At the level of specifying the mathematical operations underlying these protocols, the X9 organization of the American Bankers Association provides the standards ANSI X9.39 for RSA and mod p signatures, ANSI X9.62 for ECDSA and ANSI X9.63 for ECDH. Even more specific to elliptic curve cryptography is the IEEE P1363 published standard for describing implementation of elliptic curve operations. NIST provides a list of curves to be used, specified in FIPS 186-2, Digital Signature Standard. The performance advantages of elliptic curves in the SSL/TLS protocol have been analyzed in depth in [1]. The focus of this article is to examine the impact of using elliptic curve cryptography in WAP instead. We provide a brief introduction to elliptic curves in cryptography (ECC). We also give some background information on WTLS and summarize the protocols. Finally, we present our conclusions about the performance advantages to be obtained by using elliptic curves in the wireless environment. 2. Elliptic Curves in Cryptography
Elliptic curves as algebraic/geometric entities have been studied extensively for the past 150 years. As a result, a rich and deep theory has emerged. Elliptic curve systems as applied to cryptography were first proposed in 1985 independently by Neal Koblitz from the University of Washington, and Victor Miller, who was then at IBM, YorktownHeights. Many cryptosystems often require the use of algebraic groups. Elliptic curves may be used to form elliptic curve groups. A group is a set of elements with custom-defined arithmetic operations on those elements. For elliptic curve groups, these specific operations are defined geometrically. Introducing more stringent properties to the elements of a group, such as limiting the number of points on such a curve, creates an underlying field for an elliptic curve group. 24
www.SID.ir
Journal of Applied Mathematics,Islamic Azad university of Lahijan
Vol.3, NO.11, Winter2006
For the purpose of cryptography an elliptic curve can be thought of as being of the form y = x + ax + b Where a and b are elements of a finite group with p n elements where p is a prime large than 3. 2
3
1. Elliptic Curve Point Multiplication
of
SI
D
The principal operation of any ECC core is performing the point-multiplication. Many efficient methods for performing this operation have been reported in the literature [6]. The simplest efficient method is the double-and-add method which relies on the binary expansion of k. This method involves the calculation of elliptic curve point additions and point doublings, which are then combined to perform the multiplication. These can be carried out serially or in parallel depending on the area/speed requirements of the ECC core. Elliptic curve point-addition and point-doubling are defined geometrically by the chord-tangent law of composition. To add two points P and Q on a curve E a line is drawn through P and Q which intersects the curve at a third point on the curve R. The point R0 is then reflected through the x-axis to give the point R which is defined to be the sum of P and Q on E. If the third point of intersection does not exit, we say it is infinity. We denote the point at infinity by the special symbol O we know that this can serve as the additive identity element for the group operation. The point-addition operation is illustrated in Figure 1.
Ar
ch
ive
Figure 1 The point-addition operation
To double a point P on a curve E the tangent to P is drawn. This line intersects the curve at one other point R0. This point is then reflected through the x-axis to give the point R which is defined to be twice the point P on E. The point-doubling operation is illustrated in Figure 2.
25
www.SID.ir
M. Ghamgosar et al
D
Figure 2 The point-doubling operation
2. Elliptic Curves over GF( 2 m )
E: y 2 + xy=x 3 + a x 2 + b
ive
of
SI
Elliptic curves can be defined over any base field. However, a common choice for hardware implementations is extensions of the Galois field of characteristic two, GF( 2 m ). Some of the reasons why Galois fields of this type are so attractive is that they display some nice properties, such as constant word length and carry less arithmetic, which are absent in other number systems. The mathematical structure of GF (2) is such that addition and multiplication can be implemented by XOR and AND gates respectively. Field elements are represented as m bit registers and hence element addition is via a bitwise XOR. An elliptic curve E over GF ( 2 m ), suitable for cryptographic purposes, is defined in affine coordinates by Equation 1. (1)
ch
Where a, b ∈ GF ( 2 m ) and b ≠ 0. The points (x, y) on E form an algebraic structure called a group under the operation of point-addition with the identity element (0, 0). The point-addition operation of two points P = ( x p , y p ) and Q = ( x q , y q ) to give R =
Ar
( x r , y r ) = P + Q is described in Equation 2.
λ = ( y p + y q ) /( x p + x q ) x r = λ2 + λ + x p + x q + a
(2)
y r = ( x r + x p )λ + x r + y q The point-doubling operation of a point P = ( x p , y p ) to give a point R = ( x r , y r ) = 2P is described in Equation 3.
λ = (yp / xp ) + xp x r = λ2 + λ + a y r = ( x r + x p )λ + x r + y p
(3)
As illustrated by equations 2 and 3 both point-addition and point-doubling
26
www.SID.ir
Journal of Applied Mathematics,Islamic Azad university of Lahijan
Vol.3, NO.11, Winter2006
operations over a curve E involve the multiplicative operations of division, squaring and multiplication over the underlying Galois field GF ( 2 m ) along with a number of GF ( 2 m ) element additions. Moreover, we can use elliptic curves defined over GF ( p ). The arithmetic of GF ( p ) is the usual mod p arithmetic. Also the arithmetic of GF ( 2 m ) is similar to that of GF ( p ). However, there are some differences. Elliptic curves over GF ( 2 m ) are more popular due to the space and time-efficient algorithms for doing arithmetic in GF ( 2 m ). Below is the MATLAB code for PC.m which finds and plots all the points on a specific prime curve. This m-file takes A, B and p as its inputs, and produces two vectors, X and Y which contain all the points (x, y) that lie on:
D
y2 = x3 + Ax + B modp
Ar
ch
ive
of
SI
function [X,Y,n] = PC(A,B,p) % This function m-file finds and plots all the points that lie in E_p(A,B) % these points are on the curve y^2 = x^3 + AX + b (mod p) RHS = zeros (3, 1); LHS = zeros (3, 1); X = zeros (2, 1); Y = zeros (2, 1); for i=0:1:(p-1) RHS (i+1) = (i) ^3 + A*(i) + B; RHS (i+1) = rmp(RHS(i+1),p); LHS (i+1) = (i)^2; LHS (i+1) = rmp(LHS(i+1),p); end ii=1; for z=0:1:(p-1) I=find (RHS==z); J=find (LHS==z); q1 = isempty(I); q2 = isempty(J); if (q1) == 0 if q2 == 0 n=length (I); m=length (J); for h=1:1:n for g=1:m X(ii)=I(h)-1; Y(ii)=J(g)-1; ii=ii+1; end end end end end n=length(X) + 1; %%%%%%%PLOTTING%%%%%%%%%%% h=plot (X,Y,’ko’); set (h(1),’LineWidth’,1.5) axis ([0, (max(X)+1), 0,(max(Y)+1) ]) 27
www.SID.ir
M. Ghamgosar et al
xlabel(’X’,’FontSize’,15,’FontWeight’,’bold’) ylabel(’Y’,’FontSize’,15,’FontWeight’,’bold’)
For example, we let the elliptic curve be defined as the solutions of y = x + x +1 over the field GF (23). The group E has 28 points including O. 2
3
20
Y
15
D
10
0
0
2
4
6
8
10
X
12
14
16
18
20
of
3. Representation of GF( 2 m )
SI
5
ive
In order to perform more complicated arithmetic operations than addition in a m Galois field GF ( 2 ) a choice of basis must be made for the design. In hardware terms a choice of basis imposes a meaning to the contents of the m bit registers representing field elements. Choice of basis and hence Galois field arithmetic modules is closely related to the speed/area requirements of a given ECC core. Two of the most common bases used are the polynomial basis and the normal basis.
Ar
ch
5.1. Polynomial Bases Arithmetic m In a polynomial basis representation of GF ( 2 ) elements are considered polynomials of degree m-1 and all multiplicative operations are carried out modulo some specially chosen polynomial of degree m, the irreducible polynomial f. For example over GF ( 2 4 ) elements of GF ( 2 4 ) are the 16 vectors and the irreducible polynomial used will be f(x) = x4 + x + 1. The followings are sample calculations (0110) + (0101) = (0011) and (1101) (1001) = x3 + x2 + x + 1= (1111) and (0010) 5 =x2 + x= (0110). The element g = (0010) is a generator for the field. The multiplicative identity for the field is g0 = (0001). The multiplicative inverse of g7 = (1011) is g-7 mod 15 = g8 mod 15 = (0101). Polynomial bases are a good choice for implementation of ECCs as all multiplicative operations are carried out in O (m). 5.2. Normal Bases Arithmetic For many values of m, the finite field F2m has an optimal basis representation as well as the polynomial representation described above. An optimal basis gives an alternative way of defining multiplication on the elements of a field. While optimal normal basis multiplication is less insightful than polynomial multiplication, it is in practice more efficient. Optimal normal basis representations are classified as either Type I or Type II. The 28
www.SID.ir
Journal of Applied Mathematics,Islamic Azad university of Lahijan
Vol.3, NO.11, Winter2006
SI
D
value of m determines which type shall be used. The set of polynomials {x, x2, x22, ..., x2m-1} forms a basis of F2m over F2 , called a normal basis. Here, bit strings are considered vectors over GF (2) and successive bits of their product are calculated by a (vector) (matrix) (vector) multiplication. For this purpose, the m by m matrix A is constructed, whose ith row, i = 0 ... m - 1, is the bit string corresponding to the polynomial x2^i mod f(x) (The rows and columns of A are indexed by the integers from 0 to m - 1). The entries of A are elements of F2. Then the inverse matrix A-1 of A over F2 is determined. Now, the m by m matrix T ' is constructed, whose ith row, i = 0 ... m - 1, is x x2^i mod f(x). Then the matrix T = T ' A-1 over F2 is computed. Finally, the product terms lij, for i, j = 0 ... m – 1 is determined, as lij = T (j-i,-i). T (g,h) denotes (g,h)-entry of T with indices reduced modulo m. Each product term lij is an element of F2. The field GF ( 2 4 ) has a Type I Optimal Normal Basis; thus f(x) = x4 + x3 + x2+ x + 1. The set of polynomials {x, x2, x4, x8} forms a normal basis of GF ( 2 4 ) over F2. The rows of A are constructed as follows:
of
Row 0: x mod f(x) = x = (0 0 1 0) Row 1: x2 mod f(x) = x2 = (0 1 0 0) Row 2: x4 mod f(x) = x3 + x2 + x + 1 = (1 1 1 1) Row 3: x8 mod f(x) = x3 = (1 0 0 0)
ive
Thus
Ar
ch
And the inverse of A over F2 is
The rows of T' are constructed as follows: Row 0: v = x x mod f(x) = x2 = (0 1 0 0) Row 1: v = x x2 mod f(x) = x3 = (1 0 0 0) Row 2: v = x x4 mod f(x) = x5 mod f(x) = 1 = (0 0 0 1) Row 3: v = x x8 mod f(x) = x9 mod f(x) = x3 + x2 + x + 1 = (1 1 1 1) Thus
29
www.SID.ir
M. Ghamgosar et al
SI
D
and
The product terms are:
m {x, x2, x22... x2m-1} is a basis for GF ( 2 ) over F2 then vector associated with m −1
ive
If
of
l0,0 = T(0,0) = 0 l1,0 =T(3,3) = 0 l2,0 = T(2,2) = 1 l3,0 = T(1,1) = 0 l0,1 = T(1,0) = 0 l1,1 =T(0,3) = 0 l2,1 = T(3,2) = 1 l3,1 = T(2,1) = 1 l0,2 = T(2,0) = 1 l1,2 =T(1,3) = 1 l2,2 = T(0,2) = 0 l3,2 = T(3,1) = 0 l0,3 = T(3,0) = 0 l1,3 =T(2,3) = 1 l2,3 = T(1,2) = 0 l3,3 = T(0,1) = 1
a = ∑ ai x 2 is A= (a0 a1 ...am−1 ) . Let A= (a0 a1 ...am−1 ) and B= (b0 b1 ...bm−1 ) be two elements i
i =0
in GF ( 2 m ) represented in normal basis. Let c = (c 0 c1 ...c m −1 ) be their product. m −1 m −1
ch
Then c s = ∑∑ al + s b j + s lij . For example: l =0 j =0
(a0 a1 a2 a3) (b0 b1 b2 b3) = (c0 c1 c2 c3), where
Ar
c 0 = a0b2 + a1(b2 + b3) + a2(b0 + b1) + a3(b1 + b3) c1 = a1b3 + a2(b3 + b0) + a3(b1 + b2) + a0(b2 + b0) c2 = a2b0 + a3(b0 + b1) + a0(b2 + b3) + a1(b3 + b1) c3 = a3b1 + a0(b1 + b2) + a1(b3 + b0) + a2(b0 + b2). and (a0 a1 a2 a3)2 = (a0 a1 a2 a3) (a0 a1 a2 a3) = (c0 c1 c2 c3), where c 0 = a0a2 + a1(a2 + a3) + a2(a0 + a1) + a3(a1 + a3) = a32 = a3 c1 = a1a3 + a2(a3 + a0) + a3(a1 + a2) + a0(a2 + a0) = a02 = a0 c2 = a2a0 + a3(a0 + a1) + a0(a2 + a3) + a1(a3 + a1) = a12 = a1 c3 = a3a1 + a0(a1 + a2) + a1(a3 + a0) + a2(a0 + a2) = a22 = a2. Thus (a0 a1 a2 a3)2 = (a3 a0 a1 a2) can be calculated with a simple rotation of (a0 a1 a2 a3). Squaring is a very efficient operation when optimal normal basis representation is 30
www.SID.ir
Journal of Applied Mathematics,Islamic Azad university of Lahijan
Vol.3, NO.11, Winter2006
used. Since exponentiation typically involves many squaring operations, exponentiation is performed far more efficiently using optimal normal basis representation than using polynomial representation. 4. Elliptic Curve Cryptography
of
SI
D
One basic condition for any cryptosystem is that the system is closed, i.e., any operation on an element of the system results in another element of the system. In order to satisfy this condition for Elliptic curves it is necessary to construct non standard addition and multiplication operations. We give a very brief outline of the encryption algorithm here. In what follows + and * refer to Elliptic curve addition and multiplication. Capitals represent points on the curve while lower cases represent integers. Given a message, m, we must first choose a large integer, p, and a suitable elliptic curve, E defined as above. We must then embed the message m onto a point, P, on the curve. This is not as straight forward it looks and involves the use of quadratic residues and probabilistic algorithms. A base point, BP, on the curve is chosen. A random integer, s, is chosen and kept secret. The point PUBKEY = s*BP is calculated. The private key is (s, p, BP, a, b), while the public key is (PUBKEY, p, BP, a, b). Note that the difficulty in obtaining the private key from the public key is based on the discrete log problem (DLP) for elliptic curves (ECDLP). The DLP states that given a point A ∈ F p , base point BP, it is
Ar
ch
ive
extremely difficult to find an integer a, such that a*BP = A. To encrypt P, a user picks an integer k, at random and sends the pair of points (k *BP, P + k *PUBKEY). To decrypt this message you multiply the first component by the secret key s, and subtract from the second component: (P + k *PUBKEY ) - s * (k *BP) = P + k *(s * (BP)) - s *(k * BP) = P We then reverse the embedding process to produce the message m, from the point P. This system requires a high level of mathematical abstraction to implement. One significant practical problem if this system is to be useful is how it can be packaged in a user-friendly way so that developers can incorporate it into their applications with minimal knowledge of its inner workings. Not every elliptic curve offers strong security properties and for some curves the ECDLP may be solved efficiently. Since a poor choice of the curve can compromise security, standards organizations such NIST and SECG have published a set of recommended curves [4] with well understood security properties. The use of these curves is also recommended as a means of facilitating interoperability between different implementations of a security protocol. In ECDH key agreement, two communicating parties A and B agree to use the same curve parameters. They generate their private keys, K A and K B and corresponding public keys Q A = k A * BP and QB = k B * BP . The parties exchange their public keys. Finally each multiplies its private key and the other's public key to arrive at a common shared secret K A * QB = K B * Q A = K A * K B * BP .
31
www.SID.ir
M. Ghamgosar et al
5. History of Attacks
This section briefly overviews the algorithms known for the ECDLP. All of these algorithms take fully exponential time. - Naive exhaustive search: In this method, one simply computes successive multiples of P: P, 2P, 3P, 4P ... until Q is obtained. This method can take up to n steps in the worst case. - Baby-step giant-step algorithm: This algorithm is a time-memory trade-off of the method of exhaustive search. It requires storage for about n
points, and its running time is roughly
n steps in the worst case.
of
SI
D
- Pollard’s rho algorithm: This algorithm, due to Pollard [Pollard], is a randomized version of the baby-step-giant-step algorithm. It has roughly the same expected running time ( πn / 2 steps) as the baby-stepgiant-step algorithm, but is superior in that it requires a negligible amount of storage. Gallant, Lambert and Vanstone [GLV], and Wiener and Zuccherato [WZ] showed how Pollard’s rho algorithm can be sped up by a factor of 2 . Thus the expected running time of Pollard’s rho method with this speedup is nπ / 2 steps.
ch
ive
- Distributed version of Pollard’s rho algorithm: Van Oorschot and Wiener [VW] showed how Pollard’s rho algorithm can be parallelized so that when the algorithm is run in parallel on m processors, the expected running time of the algorithm is roughly nπ /(2m) steps. That is, using m processors results in an m-fold speed-up. This distributed version of Pollard’s rho algorithm is the fastest general-purpose algorithm known for the ECDLP.
Ar
- Pohlig-Hellman algorithm: This algorithm, due to Pohlig and Hellman [PH], exploits the factorization of n, the order of the point P. The algorithm reduces the problem of recovering l to the problem of recovering l modulo each of the prime factors of n; the desired number l can then be recovered by using the Chinese Remainder Theorem. To construct the most difficult instance of the ECDLP, one must select an elliptic curve whose order is divisible by a large prime n. Preferably, this order should be a prime or almost a prime (i.e., a large prime n times a small integer h). The elliptic curves in the exercises and challenges posed here are all of this type.
6. Elliptic Curve Digital Signature Algorithm (ECDSA)
First, an elliptic curve E defined over GF ( p ) or GF ( 2 m ) with large group of order n and a point p of large order is selected and made public to all users. Then, the following key generation primitive is used by each party to generate the individual public and private key pairs. Furthermore, for each transaction the signature and verification primitives are used. ECDSA is briefly outlined below
32
www.SID.ir
Journal of Applied Mathematics,Islamic Azad university of Lahijan
Vol.3, NO.11, Winter2006
ECDSA Key Generation - The user A follows these steps: 1. Select a random integer d ∈ [ 2, n − 2] 2. Compute Q = d * p 3. The public and private keys are ( E , p, n, Q ) and d .
SI
D
ECDSA Signature Generation -The user A signs the message m using these steps 1. Select a random integer d ∈ [ 2, n − 2] 2. Compute Q = d * p = ( x1, y1) and r = x1 mod n m If x1 ∈ GF ( 2 ), x1 is represented as a binary number. 3. If r = 0 then go to step 1. −1 4. Compute k modn −1 5. Compute s = k ( H ( m ) + dr ) mod n . Here H is the secure hash algorithm SHA 6. If s = 0 go to step 1. 7. The Signature for the message m is (r, s)
7. Protocol
ive
of
ECDSA Signature Verification - The User B Verifies A’s Signature ( r , s ) on the message m by applying the following steps: 1. Compute c = s −1 mod nandH ( m) 2. Compute u1 = H ( m)c mod n and u 2 = rc mod n 3. Compute u1 * p + u 2 * Q = ( x 0, y 0) and v = x 0 mod n 4. Accept signature if v = r
Ar
ch
Suppose two parties A and B wish to exchange signed encrypted messages. Assume that A and B already have their own public key/private key pairs, and have certificates on their public keys from some common trusted Certificate Authority(CA). If A wants to send a message to B, A can obtain B’s public key and check its validity. Then using B’s public key, A encrypts a message to B (usually just a symmetric key that subsequently acts as the content encryption key). A may include data such as a message encrypted with a symmetric key algorithm using the content encryption key. A then signs the whole message using its own private key. When B receives the data from A, B first checks the certificate on A’s public key for validity. B then uses A’s public key to verify A’s signature on the message. B uses its own public key to decrypt the content encryption key and uses that key to decrypt the received data. (This is an informal description; compare with X.509 .) To analyze the work load on each party, note that both the sender and receiver must perform three public key operations. The sender, A, must: 1. Verify 1 signature (on B’s certificate) 2. Perform 1 encryption (using B’s public key) 3. Sign the message The receiver, B, must: 4. Verify 1 signature (on A’s certificate) 5. Verify 1 signature (on A’s message)
33
www.SID.ir
M. Ghamgosar et al
6. Perform 1 decryption (using its own private key) Currently RSA certificates are often issued even on elliptic curve public keys. Certificates are signed only once but verified many times, and since only the CA must perform the expensive RSA signing operation using its private key, the individual parties do not incur much computational burden in performing the RSA signature verifications of the certificates. However, using an elliptic curve cryptosystem to perform steps 2, 3, 5, and 6 can significantly decrease the computational burden on the individual parties. 8. Wireless Transport Layer Security (WTLS)
Ar
ch
ive
of
SI
D
All the communication from the mobile phone to the Internet passes through the WAP gateway. The communication between the mobile phone and this WAP gateway has to be secured. The SSL/TLS protocol cannot be used for this purpose because of the constraints of the mobile phones. A mobile phone has very limited bandwidth, memory, computational power and battery power and can not perform heavy (cryptographic) computations (e.g., public key cryptography with a 2048–bit key). That is why the WAP forum has adapted TLS to make it suitable for a wireless environment with small mobile devices. The result is WTLS, the wireless variant of SSL/TLS. WTLS includes the usage of elliptic curve cryptography (ECC) by default. The advantage of elliptic curve cryptography is that is uses keys with a much smaller size (ECC with a key size of 170– 180 bits is estimated to achieve a 1024-bit RSA level of security). WTLS also works on top of a datagram-based instead of a connection-based communication layer. Finally, WTLS defines its own certificate format optimized for size (limited bandwidth), but supports the ordinary X.509 certificate too. When the mobile device wants to connect to the Internet, all the communication passes through the WAP gateway. This WAP gateway translates all the protocols used in WAP to the protocols used on the Internet. For example, the WAP proxy encodes (and decodes) the content to reduce the size of the data that has been sent over the wireless link. Another example is the WTLS protocol. The communication between the mobile device and the WAP gateway is secured with WTLS. WTLS is only used between the mobile device and the WAP gateway, while SSL/TLS can be used between the gateway and the Internet. This means that the WAP gateway first has to decrypt the encrypted WTLS–traffic and then has to encrypt it again (using SSL/TLS). WTLS establishes a session between a client (the mobile phone) and a server (the WAP gateway). This phase is called the handshake phase. During this handshake phase, security parameters used to protect the session are negotiated. These include the encryption protocols, signature algorithms, public keys, pre-master secrets, etc. WTLS includes support for both a full handshake, with negotiation of all security parameters, and for a lightweight handshake in which the security parameters of another session are reused. Once a session has been established, all the communication between the client and the server is encrypted .WTLS also supports the feature to suspend a session and resume it later. This way, sessions can last for days. The longer the session remains valid, the longer the secret keys remain valid, and thus, the higher the probability for an attacker to find a secret key. That is why WTLS allows keys to be renegotiated during a session.
34
www.SID.ir
Journal of Applied Mathematics,Islamic Azad university of Lahijan
Vol.3, NO.11, Winter2006
9. Conclusions
Ar
ch
ive
of
SI
D
Over the last five years, elliptic curve cryptography has moved from being an interesting theoretical alternative to being a cutting edge technology adopted by an increasing number of companies. There are two reasons for this new development: one is that ECC is no longer new, and has withstood a generation of attacks; second, in the growing wireless industry, its advantages over RSA have made it an attractive security alternative. Wireless Internet mail industry leaders such as Qualcomm have embraced ECC, as well as other major companies in the wireless industry such as Motorola, Docomo, and RIM. Major computer companies such as IBM, Sun Microsystems, Microsoft, and Hewlett-Packard are all investing in ECC. The U.S. government is backing the use of ECC as well, with NSA creating the security requirements for wireless devices connecting to the military, and NIST providing the standards. The advantage of ID-Based Encryption is that no certificate is needed to bind names to public keys. This feature may help to launch a Public Key Infrastructure, since a receiver does not have to obtain a public key and a certificate before receiving encrypted communications. IEEE Wireless Communications • February 2004 67 standardized curves for use in a range of applications of ECC. Smartcard companies such as Gem plus are also using ECC to improve their products’ security. Wireless devices are rapidly becoming more dependent on security features such as the ability to do secure email, secure Web browsing, and virtual private networking to corporate networks, and ECC allows more efficient implementation of all of these features.
35
www.SID.ir
M. Ghamgosar et al
References
Ar
ch
ive
of
SI
D
[1] V. Gupta, S. Gupta, and S. Chang, “Performance Analysis of Elliptic Curve Cryptography for SSL,” ACM Wksp. Wireless Security, Mobicom 2002, Atlanta, GA, Sept. 2002, http://research.sun.com/projects/crypto/performance.pdf [2] V. S. Miller, “Use of Elliptic Curves in Cryptography,” H. C. Williams, Ed., Advances in Cryptology — CRYPTO, LNCS, vol. 218, 1985, Springer-Verlag, 1986, pp. 417–26. [3] N. Koblitz, “Elliptic Curve Cryptosystems,” Mathematics of Computation, vol. 48, 1987, pp. 203–9. [4] I. F. Blake, G. Seroussi, and N. P. Smart, “Elliptic Curves in Cryptography,” London Math. Soc. Lecture Note Series, 265, Cambridge Univ. Press, 2000. [5] J. Cowie et al., “World Wide Number Field Sieve Factoring Record: on to 512 Bits,” Advances in Cryptology — ASIACRYPT ’96, Kyongju, Korea, LNCS, vol. 1163,Springer-Verlag, 1996, pp. 382–94. [6] Additional ECC Groups for IKE, Mar. 2001, http://www.ietf.org/proceedings/01dec/I-D/draft-ietf-ipsec-ikeeccgroups-03.txt [7] M. Brown et al., “Software Implementation of the NIST Elliptic Curves over Prime Fields,” D. Naccache, Ed.,Topics in Cryptology —CT-RSA 2001, LNCS, vol. 2020, Springer-Verlag, 2001, pp. 250–65. [8] J. Solinas, “Generalized Mersenne Numbers,” Tech. rep., 1999, http://www.cacr.math.uwaterloo.ca/techreports/1999/corr99-39.ps [9] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone,Handbook of Applied Cryptography, CRC Press Series on Discrete athematics and Its Applications, CRC Press, 1997. [10] Daniel M. Gordon, “A Survey of Fast Exponentiation Methods,”J. Algorithms, vol. 27, no. 1, 1998, pp. 129–46. [11] Y. Yacobi, “Discrete-log with Compressible Exponents,”Advances in Cryptology — CRYPTO ’90, LNCS, vol. 537, Springer-Verlag, pp. 639–43. [12] K. Eisentraeger et al., “Fast Elliptic Curve Arithmetic and Improved Weil Pairing Evaluation,” M. Joye, Ed, Topics in Cryptology — CT-RSA 2003, LNCS, vol. 2612, Springer-Verlag, 2003, pp. 343–54. [13] M. Ciet et al., “Trading Inversions for Multiplications in Elliptic Curve Cryptography,” preprint, 2003, http://eprint.iacr.org/ [14] J. Guajardo and C. Paar, “Efficient Algorithms for Elliptic Curve Cryptosystems,” B. S. Kaliski Jr., Ed., Advances in Cryptology — CRYPTO, 1997, LNCS, vol. 1294, Springer-Verlag, 1997, pp. 342–56. [15] C. H. Lim and P. J. Lee, “More Flexible Exponentiation with Precomputation,” Y. G. Desmedt, Ed., Advances in Cryptology — CRYPTO, LNCS, vol. 839, Springer-Verlag, 1994, pp. 95–107. [16] S/MIME Version 3 Message Specification, June 1999, http://www.ietf.org/rfc/rfc2633.txt [17] FIPS Pub 186-2, Digital Signature Standard (DSS), Jan.27, 2000, http://csrc.nist.gov/publications/fips/fips1862/fips186-2-change1.pdf [18] Performance of RSA on ARM and Palm, http://www.digisec.se/mcrypt_performance.htm [19] A. Shamir, “Identity-Based Cryptosystems and Signature Schemes,” Advances in Cryptology: Proc. CRYPTO’84, LNCS, vol. 7, 984, pp. 47–53. [20] U. Maurer and Y. Yacobi, “Non-interactive Public Key Cryptography,”Advances in Cryptography – Eurocrypt ’91, LNCS, vol. 547, Springer-Verlag, 1991, pp. 498–507. [21] D. Boneh and M. Franklin, “Identity-Based Encryption from the Weil Pairing,” J. Kilian, Ed., Advances in Cryptology— CRYPTO, 2001, LNCS, vol. 2139, Springer-Verlag, 2001, pp. 213–29.
36
www.SID.ir