TOWARDS A QUARTER-CENTURY OF PUBLIC KEY CRYPTOGRAPHY edited by Neal Koblitz University of Washington, U.S.A. A Special Issue of DESIGNS, CODES AND CRYPTOGRAPHY An International Journal Volume 19, No. 2/3 (2000) SPRINGER SCIENCE+BUSINESS MEDIA, LLC DESIGNS, CODES AND CRYPTOGRAPHY An International Journal Volume 19, Numbers 2/3, March 2000 Special Issue: Towards a Quarter-Century of Public Key Cryptography Guest Editor: Neal Koblitz Guest Editorial ............................................ Neal Koblitz 5 Information Security, Mathematics, and Public-Key Cryptography ............ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Simon Blake-Wilson 7 Integer Factoring ........................................ Arjen K. Lenstra 31 Discrete Logarithms: The Past and the Future .............. Andrew M. Odlyzko 59 The Diffie-Hellman Protocol . . . . . . . . . . . . . . . . . Ueli M. Maurer and Stefan Wolf 77 The State of Elliptic Curve Cryptography ................................ . . . . . . . . . . . . . . . . . . . . . . . . . . . Neal Koblitz, Alfred Menezes and Scott A. Vanstone 103 Efficient Arithmetic on Koblitz Curves ..................... Jerome A. Solinas 125 ISBN 978-1-4419-4972-1 ISBN 978-1-4757-6856-5 (eBook) DOI 10.1007/978-1-4 757-6856-5 Library of Congress Cataloging-in-Publication Data A C.l.P. Catalogue record for this book is available from the Library of Congress. Copyright© 2000 by Springer Science+B usiness Media New York 2000 Originally published by Kluwer Academic Publishers in 2000 All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, mechanical, photo-copying, recording, or otherwise, without the prior written permission of the publisher, Springer Science+Business Media, LLC. Printed on acid-free paper. ~' Designs, Codes and Cryptography, 19,75-76 (2000) •"'Il © 2000 Kluwer Academic Publishers, Boston. Guest Editorial The original plan for this issue was to commemorate the twentieth anniversary of public key cryptography, which first saw the light of day with the publication of the seminal article "New Directions in Cryptography" by Whitfield Diffie and Martin Hellman in 1976. But in the first place, a series of delays have caused us to miss the 20-year celebration by a wide margin. In the second place, it has since been revealed that public key cryptography was developed in secret in Great Britain in the early 1970's. So at this point there are several possible anniversaries that this special issue may be considered to be marking, of which only the last is a round number: (I) the 24-th anniversary of the public invention of public key cryptography by Diffie and Hellman; (2) the 26-th anniversary of its secret invention by Cocks and Ellis; (3) the 23-rd anniversary of the invention by Rivest, Shamir, and Adleman of the first public key cryptosystem to enjoy commercial success; and (4) the 0-th anniversary of public key cryptography becoming truly public with the im minent expiration of all basic U.S. patents covering the field. (The Hellman-Diffie-Merkle and Hellman-Merkle patents expired in 1997, the Merkle patent expired in September 1999, and the RSA patent expires in September of 2000; see the Handbook of Applied Cryptography for details.) Despite the uncertainty about what anniversary is being celebrated, there can be no doubt about the appropriateness of devoting a special issue to this subject. Public key cryptography not only has assumed a central role in discussions of such practical matters as privacy rights and secure electronic commerce, but has also started to draw upon increasingly sophisticated mathematical techniques. For instance, powerful results in algebraic number theory are used for the number field sieve factoring method, and the latest techniques for counting points on elliptic curves rely upon subtle analyses of modular polynomials, isogenies, and so on. This issue contains six articles that give an overview of several of the most important areas in the mathematics of public key cryptography. The first paper, by Simon Blake Wilson, gives the reader the background in cryptography needed to appreciate the variety of applications for which public key systems are used. The article by Arjen Lenstra surveys the cuiTent state of integer factorization, which is the central problem whose assumed intractability is the basis for RSA-type systems. Next comes Andrew Odlyzko's article on the discrete logarithm problem, which is the other type of mathematical problem whose presumed difficulty is central to modern cryptography. After that, Ueli Maurer and Stefan Wolf describe recent advances toward a proof that the cryptanalysis of Diffie-Hellman type systems is really equivalent to solution of the discrete log problem (a long-standing conjecture). Then Alfred Menezes, Scott Vanstone, and I survey elliptic curve cryptography, an area of increasing interest both for practical and theoretical reasons. Finally, JetTy 5 76 KOBLITZ Solinas studies the properties of a particularly attractive class of elliptic curves for use in cryptography; recently, these "anomalous binary curves" were among those recommended by the National Institute of Standards and Technology for U.S. Government use. Neal Koblitz Seattle, September 1999 6 ..,. . Designs, Codes and Cryptography, 19,77-99 (2000) © 2000 Kluwer Academic Publishers, Boston. ' Information Security, Mathematics, and Public-Key Cryptography* SIMON BLAKE-WILSON sblakewilson @certicom.com Certicom Corp., 200 Matheson Blvd W. Suite 103, Mississauga, Ontario LSR 3L7, Canada. Abstract. Public-key cryptography is today recognized as an important tool in the provision of information security. This article gives an overview of the field on the occasion of its 22nd birthday. Keywords: Public-key cryptography, one-way function 1. Introduction When public-key cryptography was introduced to the research community by Diffie and Hellman in 197 6 [ 11], it represented an exciting innovation in cryptography and a surprising application of number theory. Today, more than twenty years on, public-key cryptographic schemes are in everyday use. This widespread application is due in part to innovations, both in computer technology and in algorithm design, that make its use efficient, and in part to the preeminence of large-scale digital open networks. This revolution means that the motivation of research in the area is no longer primarily theoretical. Instead the principal question has become: how can public-key cryptography best be used to solve information security problems in the 'real world'? It is artificial to divorce public-key cryptography from its applications. The first step towards explaining current developments is therefore to explain the importance of information security. 1.1. What Is Information Security? Information is recognized by many organizations as an important asset. Few businesses could function effectively without the ability to rely to some extent on information as a resource: banks need to know the details of each account, and hospitals need to access patients' medical records. Information security is concerned with providing assurances about the quality of data. Broadly speaking, information security is frequently classified as the provision of the fol lowing services: confidentiality: the assurance that data is not disclosed to unauthorized parties. integrity: the assurance that data is genuine. availability: the assurance that data is readily accessible. * This article represents the personal perspective of the author. Please send comments to: sblakewilson@ certicom.com. 7 78 BLAKE-WILSON Until recently, physical techniques have usually been sufficient to ensure information security. When stored on paper, data can be kept in a secure location and communicated in a sealed envelope using a trusted carrier to ensure its confidentiality. Appending a handwritten signature to a document provides data integrity; and an efficient filing system is enough to afford availability. Today however, most information is stored in electronic form. This medium offers many potential advantages: data can be stored and communicated very cheaply and massive amounts of data can be accessed instantaneously using databases. On the other hand, data stored in this way faces new and heightened threats. Communication over open networks is very cheap, but represents easy pickings for an ad versary who wants to intercept, modify, or inject data. Data stored on networked computers faces similar threats. If society is to benefit from the advantages offered by electronic data storage and open networks, information security must therefore provide techniques capable of supplying confidentiality, integrity, and availability in this new environment. Of the solutions proposed thus far, cryptography is the most versatile. 1.2. What Is Cryptography? Cryptography is that branch of information security in which assurances are provided by transforming the data itself. It is concerned with the design, analysis, and implementation of schemes capable of furnishing security in a variety of environments. When considering information security services provided by cryptography, confidentiality and integrity are subdivided into five basic categories: data confidentiality: the assurance that data is unintelligible to unauthorized parties. data origin authentication: the assurance that data has originated from a specified entity. data integrity: the assurance that data has not been modified by an unauthorized entity. entity authentication: the assurance that an entity is involved in areal-time communication with a particular entity. non-repudiation: the assurance that an entity cannot later deny originating data. A cryptographic scheme is designed to facilitate the provision of some subset of these five services, either by providing the services directly or by indirectly aiding their provision. Cryptographic schemes can be classified as either symmetric schemes or public-key (asymmetric) schemes. The technical specification of any scheme includes the description of transformations that are applied to data. These transformations are controlled by keys. The relationship between the keys controlling the transformations classifies the scheme: if the keys are the same, the scheme is symmetric; if there are essentially two distinct keys K1 and K2 with the property that it is hard to derive K1 from K2, the scheme is asymmetric. This relationship between K1 and K2 explains the nomenclature: it implies that K2 can be published publicly without compromising Kt or the transformations controlled by Kt. K2 is 8 INFORMATION SECURITY, MATHEMATICS, AND PUBLIC-KEY CRYPTOGRAPHY 79 therefore known as the public key PK and Kr as the private key SK. Together SK and PK form a key pair. Public-key cryptography is the study of asymmetric cryptographic schemes. Public-key schemes have received a great deal of attention because they are scalable. This is illustrated by the key management problem. Suppose in a network of n users each pair of users wishes to be able to communicate in secret. If a symmetric encryption scheme is used naively then each pair must establish a shared key, which requires n<n;I) different keys. A less cumbersome approach in a large network would be to set up a trusted centre which shares a key with each user and translates all confidential communications. However, while this reduces the number of keys involved ton, it has the disadvantages of placing great trust in the centre and creating· a bottleneck with every message passing through the centre. A more elegant solution is for each user to employ an asymmetric encryption scheme. User Alice publishes PKAuce which controls her encryption transformation, while SKAuce is kept - secret and used to decrypt. This approach requires only n key pairs. The attraction of public-key cryptography is now clear. Public-key schemes are versatile: their operation is typically independent of the specific environment in which data is being stored or communicated. As information becomes increasingly mobile, moving rapidly from application to application and system to system, this feature becomes more and more desirable. Public-key schemes are scalable: their operation is well-suited to environments with lots of users. The advent of large-scale open networks like the Internet necessitates this property. What kind of public-key schemes have been proposed? One example is asymmetric digital signature schemes. Example: Digital signature schemes are capable of providing data origin authentication, data integrity, and non-repudiation, and constitute the 'digital analogue of the process of creating and checking handwritten signatures. The technical specification of such a scheme involves the description of three operations: a key pair generation procedure, a signing transformation, and a verifying transformation. To use the scheme, Bob first employs the key generation procedure to select a key pair (SKBob. PKBob). He uses SKBob to control the signing transformation, and publishes PKBob so that anyone may use it to control the verifying transformation and check his signatures. To sign a message M, Bob simply applies the signing transformation under the key SK80;,. The signing transformation outputs a signature I; on M. This will be denoted by: :E +-- SignsK8 ov. (M). The signed message consists of the pair (M, I:). When Alice receives a signed message (M, I:') supposedly from Bob, she can check the signature by retrieving the published copy of PK ob• and transforming the pair using the 8 verifying transformation under the key PKBob: VerifypK b(M, I:') E {Accept,Reject}. Bo Alice concludes that (M, I:') is indeed a signed message from Bob if and only if the verifying transformation outputs Accept. 9 80 BLAKE-WILSON For the signature scheme to be well-defined, we require that the verifying transformation does indeed accept any signed messages (M, I:) generated by Bob. Just as for handwritten signatures, the most obvious security requirement for a digital signature scheme is that forgery is hard. However forgery in the digital case differs from forgery in the handwritten case. Since digital data is represented by binary strings and is easily duplicated, it is not sufficient for Bob to simply append a fixed string I: to each message; in this case an adversary could forge Bob's signature simply by copying I: and appending it to any message. Instead signatures should be message dependent and only Bob should be able to produce valid (M, I:) pairs. This imposes a requirement that it must be infeasible to derive SK8ab from PK8ab and so as defined signature schemes must be asymmetric. We will return to the question of the security of digital signature schemes in Section 3. To demonstrate why secure signature schemes are capable of providing the services of data origin authentication, data integrity, and non-repudiation, observe the following. If Alice is convinced PK8ah is Bob's public key, she is assured that M did indeed originate from Bob and has not been altered, since it is hard to forge signed messages. Data origin authentication and data integrity are therefore provided. If Bob later denies signing M, Alice can present (M, I:) to a judge. The judge verifies (M, I:) using PK80b, and concludes that Bob must have signed M himself because signed messages are hard to forge. Thus non-repudiation is also theoretically provided. D Digital signatures are one example of a generic public-key scheme which may be used in an application to provide security services. The task of public-key cryptography is to design, analyze, and implement public-key schemes. Over the years, various crucial components of this process have been recognized. Broadly speaking, the components can be split into four phases, which, for illustrative purposes, we classify according to the academic discipline with which each is most easily identified. The components are: mathematics: the design and analysis of appropriate mathematical functions from which public-key schemes can be built. computer science: the identification of generic schemes like signature schemes and their construction from appropriate mathematical functions. engineering: the implementation of schemes in a secure and efficient manner within a system. management: the analysis of an application's security requirements and the selection and management of a system to meet these requirements. The above classification is loose-there are clearly overlaps between the roles assigned to each discipline. It does however demonstrate the danger of viewing public-key cryptography as a field contained within any one academic discipline, since each of the above components clearly performs an essential role in the provision of 'real-world' solutions using public-key cryptography. In the following sections, we will examine more closely each component of this classifi cation in tum. 10 INFORMATION SECURITY, MATHEMATICS, AND PUBLIC-KEY CRYPTOGRAPHY 81 2. Mathematics The role of mathematics is to design and analyze mathematical functions appropriate for use in public-key cryptographic schemes. Over the years, some generic types of appropriate functions have been proposed. The best-known are one-way functions and trapdoor one-way functions, which were identified by Diffie and Hellman [11]. To illustrate the task of mathematics, we will examine these generic types of functions and discuss the progress that has been made towards the definition and analysis of concrete realizations of them. Firstly, what about one-way functions? What is really needed is the idea of a one-way function family. Afunctionfamily :F = {FkhEN is a set of functions partitioned into sets :Fk. In our case think of k as a security parameter. Definition 1. [Informal] A function family :F = {FdkEN is a one-way function family if fork EN: 1. V f E :Fk. f: X~ Y, and Vx EX, f(x) is 'easy' to compute. 2. for fER :Fk. f: X~ Y, and for y ER Y, it is 'hard' to find an x such that f(x) = y. Here for example y ER Y means y is selected uniformly at random from Y. (This assumes that f is surjective. More generally, select y ER f(X).) We often loosely say that f E :F is a one-way function. It is now necessary to describe the meaning of 'easy' and 'hard'. The definition of a one way function family is computational in nature: that is, there exists a solution to the problems posed in each of the conditions and the difficulty is in finding these solutions. The natural definitions of 'easy' and 'hard' are therefore borrowed from the theory of computation. 'Easy' is usually taken to mean that there exists an algorithm which finds the solution in time polynomial in k, and similarly 'hard' is taken to mean that no polynomial-time algorithm exists. Probabilistic algorithms are allowed. Of course, we will also require that the 'easy' algorithm really is efficient and that the 'hard' problem really is computationally intractable for the sizes of k that are going to be used in practice. Some explanation of the second condition is required. Perhaps it aids intuition to think of the following 'game' involving an algorithm or 'player' A. Take a function family F. First initialize the game by picking k E Nand choosing f ER :Fk andy ER Y. Then start the game by giving A a description of f and the value y. A wins if it correctly guesses a pre image x of y. We are interested in the probability that A wins the game. This probability is assessed over the random choice of f and y and, since we are allowing probabilistic algorithms, the random decisions of A. The function family :F is one-way if the probability that any efficient algorithm wins the game is negligible. 11