1. Field of the Invention
The present invention relates to computerized cryptographic systems and methods for encrypting communications in a computer network or electronic communications system, and particularly to a computerized method of performing XZ-elliptic curve cryptography for use with network security protocols.
2. Description of the Related Art
In recent years, the Internet community has experienced explosive and exponential growth. Given the vast and increasing magnitude of this community, both in terms of the number of individual users and web sites, and the sharply reduced costs associated with electronically communicating information, such as e-mail messages and electronic files, between one user and another, as well as between any individual client computer and a web server, electronic communication, rather than more traditional postal mail, is rapidly becoming a medium of choice for communicating information. The Internet, however, is a publicly accessible network, and is thus not secure. The Internet has been, and increasingly continues to be, a target of a wide variety of attacks from various individuals and organizations intent on eavesdropping, intercepting and/or otherwise compromising or even corrupting message traffic flowing on the Internet, or further illicitly penetrating sites connected to the Internet.
Encryption by itself provides no guarantee that an enciphered message cannot or has not been compromised during transmission or storage by a third party. Encryption does not assure integrity due to the fact that an encrypted message could be intercepted and changed, even though it may be, in any instance, practically impossible to cryptanalyze. In this regard, the third party could intercept, or otherwise improperly access, a ciphertext message, then substitute a predefined illicit ciphertext block(s), which that party, or someone else acting in concert with that party, has specifically devised for a corresponding block(s) in the message. The intruding party could thereafter transmit the resulting message with the substituted ciphertext block(s) to the destination, all without the knowledge of the eventual recipient of the message.
The field of detecting altered communication is not confined to Internet messages. With the burgeoning use of stand-alone personal computers, individuals or businesses often store confidential information within the computer, with a desire to safeguard that information from illicit access and alteration by third parties. Password controlled access, which is commonly used to restrict access to a given computer and/or a specific file stored thereon, provides a certain but rather rudimentary form of file protection. Once password protection is circumvented, a third party can access a stored file and then change it, with the owner of the file then being completely oblivious to any such change.
Methods of adapting discrete logarithm based algorithms to the setting of elliptic polynomials are known. However, finding discrete logarithms in this kind of group is particularly difficult. Thus, elliptic polynomial-based crypto algorithms can be implemented using much smaller numbers than in a finite-field setting of comparable cryptographic strength. Therefore, the use of elliptic polynomial cryptography is an improvement over finite-field based public-key cryptography.
In practice, an elliptic curve group over a finite field F is formed by choosing a pair of a and b coefficients, which are elements within F. The group consists of a finite set of points P(x,y) that satisfy the elliptic curve equation:F(x,y)=y2−x3−ax−b=0,  (1)together with a point at infinity, O. The coordinates of the point, x and y, are elements of F represented in N-bit strings. In the following, a point is either written as a capital letter (e.g., point P) or as a pair in terms of the affine coordinates; i.e. (x,y).
The elliptic curve cryptosystem relies upon the difficulty of the elliptic curve discrete logarithm problem (ECDLP) to provide its effectiveness as a cryptosystem. Using multiplicative notation, the problem can be described as: given points B and Q in the group, find a number k such that Bk=Q, where k is the discrete logarithm of Q to the base B. Using additive notation, the problem becomes: given two points B and Q in the group, find a number k such that kB=Q.
In an elliptic curve cryptosystem, the large integer k is kept private and is often referred to as the secret key. The point Q together with the base point B are made public and are referred to as the public key. The security of the system, thus, relies upon the difficulty of deriving the secret k, knowing the public points B and Q. The main factor that determines the security strength of such a system is the size of its underlying finite field. In a real cryptographic application, the underlying field is made so large that it is computationally infeasible to determine k in a straightforward way by computing all the multiples of B until Q is found.
At the heart of elliptic curve geometric arithmetic is scalar multiplication, which computes kB by adding together k copies of the point B. Scalar multiplication is performed through a combination of point-doubling and point-addition operations. The point-addition operations add two distinct points together and the point-doubling operations add two copies of a point together. To compute, for example, B=(2×(2×(2B)))+2B=Q, it would take three point-doublings and two point-additions.
Addition of two points on an elliptic curve is calculated as follows: when a straight line is drawn through the two points, the straight line intersects the elliptic curve at a third point. The point symmetric to this third intersecting point with respect to the x-axis is defined as a point resulting from the addition. Doubling a point on an elliptic curve is calculated as follows: when a tangent line is drawn at a point on an elliptic curve, the tangent line intersects the elliptic curve at another point. The point symmetric to this intersecting point with respect to the x-axis is defined as a point resulting from the doubling.
Table 1 illustrates the addition rules for adding two points (x1,y1) and (x2,y2); i.e., (x3,y3)=(x1,y1)+(x2,y2):
TABLE 1Summary of Addition Rules: (x3, y3) = (x1, y1) + (x2, y2)General Equationsx3 = m2 − x2 − xy3 = m (x3 − x1) + y1 Point Addition  m  =                    y        2            -              y        1                            x        2            -              x        1             Point Doubling (x3,y3) = 2(x1,y1) (x2,y2) = −(x1,y1) (x2, y2) = O −(x1,y1)      m    =                            3          ⁢                                          ⁢                      x            1            2                          -        a                    2        ⁢                                  ⁢                  y          1                                (                        x          3                ,                  y          3                    )        =                            (                                    x              1                        ,                          y              1                                )                +                  (                      -                          (                                                x                  2                                ,                                  y                  2                                            )                                )                    =                        O          ⁢                                          (                                    x              3                        ,                          y              3                                )                =                                            (                                                x                  1                                ,                                  y                  1                                            )                        +            O                    =                                    (                                                x                  1                                ,                                  y                  1                                            )                        =                          (                                                x                  1                                ,                                  -                                      y                    1                                                              )                                          
For elliptic curve encryption and decryption, given a message point (xm,ym), a base point (xB,yB), and a given key, k, the cipher point (xC,yC) is obtained using the equation (xC,yC)=(xm,ym)+k(xB,yB).
There are two basics steps in the computation of the above equations. The first step is to find the scalar multiplication of the base point with the key, k(xB,yB). The resulting point is then added to the message point, (xm,ym) to obtain the cipher point. At the receiver, the message point is recovered from the cipher point, which is usually transmitted, along with the shared key and the base point (xm,ym)=(xC,yC)−k(xB,yB).
As noted above, the x-coordinate, xm, is represented as an N-bit string. However, not all of the N-bits are used to carry information about the data of the secret message. Assuming that the number of bits of the x-coordinate, xm that do not carry data is L, then the extra bits L are used to ensure that message data, when embedded into the x-coordinate, will lead to an xm value which satisfies the elliptic curve equation (1). Typically, if the first guess of xm is not on a curve, then the second or third try will be.
Thus, the number of bits used to carry the bits of the message data is (N−L). If the secret data is a K-bit string, then the number of elliptic curve points needed to encrypt the K-bit data is
      (          K              N        -        L              )    .It is important to note that the y-coordinate ym of the message point carries no data bits.
An attack method referred to as power analysis exists in which the secret information is decrypted on the basis of leaked information. An attack method in which change in voltage is measured in cryptographic processing using secret information, such as DES (Data Encryption Standard) or the like, such that the process of the cryptographic processing is obtained and the secret information is inferred on the basis of the obtained process, is known.
As one of the measures against power analysis attack on elliptic curve cryptosystems, a method using randomized projective coordinates is known. This is a measure against an attack method of observing whether a specific value appears or not in scalar multiplication calculations, and inferring a scalar value from the observed result. By multiplication with a random value, the appearance of such a specific value is prevented from being inferred.
In the above-described elliptic curve cryptosystem, attack by power analysis, such as DPA or the like, was not taken into consideration. Therefore, in order to relieve an attack by power analysis, extra calculation has to be carried out using secret information in order to weaken the dependence of the process of the cryptographic processing and the secret information on each other. Thus, time required for the cryptographic processing increases so that cryptographic processing efficiency is lowered.
With the development of information communication networks, cryptographic techniques have been indispensable elements for the concealment or authentication of electronic information. Efficiency in terms of computation time is a necessary consideration, along with the security of the cryptographic techniques. The elliptic curve discrete logarithm problem is so difficult that elliptic curve cryptosystems can make key lengths shorter than that in Rivest-Shamir-Adleman (RSA) cryptosystems, basing their security on the difficulty of factorization into prime factors. Thus, the elliptic curve cryptosystems offer comparatively high-speed cryptographic processing with optimal security. However, the processing speed is not always high enough to satisfy smart cards, for example, which have restricted throughput or servers that have to carry out large volumes of cryptographic processing.
The pair of equations for m in Table 1 are referred to as “slope equations”. Computation of a slope equation in finite fields requires one finite field division. Alternatively, the slope computation can be computed using one finite field inversion and one finite field multiplication. Finite field division and finite field inversion are costly in terms of computational time because they require extensive CPU cycles for the manipulation of two elements of a finite field with a large order. Presently, it is commonly accepted that a point-doubling and a point-addition operation each require one inversion, two multiplications, a square, and several additions. At present, there are techniques to compute finite field division and finite field inversion, and techniques to trade time-intensive inversions for multiplications through performance of the operations in projective coordinates.
In cases where field inversions are significantly more time intensive than multiplication, it is efficient to utilize projective coordinates. An elliptic curve projective point (X,Y,Z) in conventional projective (or homogeneous) coordinates satisfies the homogeneous Weierstrass equation:{tilde over (F)}(X,Y,Z)=Y2Z−X3−aXZ2−bZ3=0,  (2)and when Z≠0, it corresponds to the affine point
      (          x      ,      y        )    =            (                        X          Z                ,                  Y          Z                    )        .  Other projective representations lead to more efficient implementations of the group operation, such as the Jacobian representations, where the triplets (X,Y,Z) correspond to the affine coordinates
      (          x      ,      y        )    =      (                  X                  Z          2                    ,              Y                  Z          3                      )  whenever Z≠0. This is equivalent to using a Jacobian elliptic curve equation that is of the form:{tilde over (F)}J(X,Y,Z)=Y2−X3−aXZ4−bZ6=0.  (3)
Another commonly used projection is the Chudnovsky-Jacobian coordinate projection. In general terms, the relationship between the affine coordinates and the projective coordinates can be written as
      (          x      ,      y        )    =      (                  X                  Z          i                    ,              Y                  Z          j                      )  where the values of i and j depend on the choice of the projective coordinates. For example, for homogeneous coordinates, i=1 and j=1.
It is important to note that the group addition rules are defined in the affine coordinates and not in any of the projective coordinates; i.e.,
      (                            X          3                          Z          3          i                    ,                        Y          3                          Z          3          j                      )    =            (                                    X            1                                Z            1            i                          ,                              Y            1                                Z            1            j                              )        +                  (                                            X              2                                      Z              2              i                                ,                                    Y              2                                      Z              2              j                                      )            .      In other words, the computation of the coordinate values of X3, Y3 and Z3 are based on the equations in Table 1, where the value of Z3 is chosen from the denominator of the equations in Table 1 in order to remove the division operations from the calculations of X3 and Y3.
This implies that the points
      (                            X          1                          Z          1          i                    ,                        Y          1                          Z          1          j                      )    ,            (                                    X            2                                Z            2            i                          ,                              Y            2                                Z            2            j                              )        ⁢                  ⁢    and    ⁢                  ⁢          (                                    X            3                                Z            3            i                          ,                  -                                    Y              3                                      Z              3              j                                          )      lie on the same straight line, while (X1,Y1,Z1), (X2,Y2,Z2) and (X3,−Y3,Z3) do not lie on the same line. Thus, one cannot write (X3,Y3,Z3)=(X1,Y1,Z1)+(X2,Y2, Z2) when the addition operation is defined over the affine coordinate. It should be noted that defining the elliptic curve points as a group over addition is necessary so that the equation given above can be re-written as
      (                            X          2                          Z          2          i                    ,                        Y          2                          Z          2          j                      )    =            (                                    X            3                                Z            3            i                          ,                              Y            3                                Z            3            j                              )        -                  (                                            X              1                                      Z              1              j                                ,                                    Y              1                                      Z              1              j                                      )            .      
It is this group definition that leads to the fact that decryption, as described above, is, in fact, the reciprocal of encryption. The use of projective coordinates circumvents the need for division in the computation of each point addition and each point doubling during the calculation of scalar multiplication. Thus, integer modular division can be avoided in the calculation of a scalar multiplication, such as
      k    ⁡          (                                    X            B                                Z            B            i                          ,                              Y            B                                Z            B            j                              )        ,when using projective coordinates.
The last addition for the computation of the cipher point
  (                    X        C                    Z        C        i              ,                  Y        C                    Z        C        j              )(i.e., the addition of the two points
  (                    X        m                    Z        m        i              ,                  Y        m                    Z        m        j              )and
  k  ⁡      (                            X          B                          Z          B          i                    ,                        Y          B                          Z          B          j                      )  can also be carried out in the chosen projection coordinate. In other words,
      (                            X          C                          Z          C          i                    ,                        Y          C                          Z          C          j                      )    =            (                                    X            m                                Z            m            i                          ,                              Y            m                                Z            m            j                              )        +                  (                                            X              B                                      Z              B              i                                ,                                    Y              B                                      Z              B              j                                      )            .      It should be noted that Z=1.
However, in the above, one division (or one inversion and one multiplication) must still be carried out to calculate
            x      C        =                  X        C                    Z        C        i              ,since only the affine x-coordinate of the cipher point xC is sent by the sender.
The use of projective coordinates circumvents the need for division in the computation of each point addition and point doubling during the calculation of scalar multiplication. Thus, finite field division can be avoided in the calculation of a scalar multiplication, such as
      k    ⁡          (                                    X            B                                Z            B            i                          ,                              Y            B                                Z            B            j                              )        ,when using projective coordinates.
Thus, the encryption of (N−L) bits of the secret message using elliptic curve encryption requires at least one division when using projective coordinates. Similarly, the decryption of a single message encrypted using elliptic curve cryptography also requires at least one division when using projective coordinates.
With regard to secure network protocols, the secure socket layer (SSL) protocol (sometimes referred to as the “transport layer security” (TLS) protocol) is presently the most widely used security protocol on the Internet. The SSL protocol offers encryption, authentication and data integrity over public insecure channels. SSL is designed to be very flexible, as it can accommodate different cryptographic algorithms for key agreement, encryption and hashing. However, the specifications associated with SSL recommend particular combinations, which are generally referred to as “cipher-suits”. An example of a cipher-suit is “RSA-RC4-SHA”, which indicates that RSA is used for key agreement, RC4 for encryption and SHA for hashing.
The SSL protocol has two main components: the “handshake protocol” and the “record layer protocol”. The handshake protocol is used by the client and the server to agree on a common cipher-suit, authenticate each other, and establish a master key using public-key cryptographic algorithms. While authenticating a client in this stage, server authentication is mandatory. Then, the record layer protocol derives shared keys from the master key and performs data encryption and hashing for integrity.
Originally, SSL was defined as using RSA-based public key cryptography for its key exchange and encryption. Later, elliptic curve cryptography (ECC) was included as an option in the set of cipher suits. Since ECC is a public-key system, only the handshake protocol is affected by introducing ECC into SSL. The SSL handshake protocol involves the use of a public-key cryptographic protocol and a digital signature protocol. For ECC-based SSL, elliptic curve Diffie-Hellman (ECDH) and elliptic curve digital signature algorithms (ECDSA) are used as a public key protocol and a digital signature protocol, respectively.
The session begins with a client and the server exchanging random nonces, which are used to prevent replay attacks. Then, a cipher-suit is negotiated with the “ClientHello” and “ServerHello” messages. The server then sends the “ServerCertificate” message, which contains its ECDH public key signed by a certification authority using ECDSA.
After validating the ECDSA signature, the client sends its ECDH key to the server using a “ClientKeyExchange” message. Each entity then uses its private ECDH key along with the other's public key to arrive at a premaster secret. The premaster secret is used, along with the random nonces exchanged earlier, to create a shared key that is used for data transfer. Typically, the data transfer itself still takes place using RC4, which is an RSA-based stream cipher.
IP Security (IPsec) is a protocol that guarantees the data privacy and integrity of IP packets, regardless of the application to which these packets belong. In other words, any application, as long as it uses IP to send data, will benefit from the underlying secure IP network. IPsec has been designed to meet four different goals: privacy, integrity, authentication, and robustness. In addition to data privacy, IPsec allows for dataflow privacy, in which even the identity of the communicating parties cannot be revealed by an attacker. It also contains measures for preventing denial of service (DoS) and replay attacks.
The IPsec framework does not specify encryption algorithms to be used by its implementations. Instead, it provides an empty infrastructure where the desired algorithms may be set. This allows implementations to be modular, customizable for specific problems, and easily upgradeable with new algorithms. A standard set of default algorithms has been specified by the relevant RFCs in order to foster the early adoption of IPsec.
A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. A virtual private network can be contrasted with a system of owned or leased lines that can only be used by one company. The main purpose of a VPN is to provide the company with the same capabilities as private leased lines at much lower cost by using the shared public infrastructure. Phone companies have provided private shared resources for voice messages for over a decade. A virtual private network makes it possible to have the same protected sharing of public resources for data.
VPN technologies can be grouped into three major categories: trusted VPN, secure VPN and hybrid VPN. In a secure VPN, all traffic must be encrypted and authenticated. A secure VPN usually takes place on a public network, such as the Internet or the public telephone network. On the other hand, in a trusted VPN, no one other than the trusted VPN provider can affect the creation or modification of a path in the VPN. The entire value of the trusted VPN is that the customer can trust that the provider to provision and control the VPN. Hybrid VPNs use a secure VPN that runs over a trusted VPN. Among others, IPsec is the prevalent tool used to implement secure VPNs. Further, SSL is used, but less commonly so, as it is less flexible than IPsec.
Thus, a method of performing XZ-elliptic curve cryptography for use with network security protocols solving the aforementioned problems is desired.