calculations over an elliptic curve, how do we do it? why do we need it for wsn?
DESCRIPTION
Calculations over an Elliptic curve, HOW DO WE DO IT? Why do we need it for WSN?. Ortal Arazi Electrical & Computer Engineering Department The University of Tennessee Knoxville, TN 37996-2100. Outline. What is an Elliptic Curve? Point by Scalar multiplication Experimental results - PowerPoint PPT PresentationTRANSCRIPT
11
Calculations over an Elliptic curve,Calculations over an Elliptic curve,HOW DO WE DO IT?HOW DO WE DO IT?
Why do we need it for WSN?Why do we need it for WSN?
Ortal AraziOrtal Arazi
Electrical & Computer Engineering DepartmentElectrical & Computer Engineering DepartmentThe University of TennesseeThe University of Tennessee
Knoxville, TN 37996-2100Knoxville, TN 37996-2100
22Ortal Arazi – Research overview (second presentation)
OutlineOutline
What is an Elliptic Curve?What is an Elliptic Curve?
Point by Scalar multiplicationPoint by Scalar multiplication Experimental resultsExperimental results
Scalar by Scalar multiplicationScalar by Scalar multiplication
33Ortal Arazi – Research overview (second presentation)
What is an Elliptic Curve?What is an Elliptic Curve?
In (2) an ordinary elliptic curve suitable for elliptic curve cryptography is defined by the set of points () that satisfy the equation :
)GF(2 b a; m b; ax xy xy : E 232
Example:
)1000()1100( 232 xxxyy
1000
1100
4
)2(,,, 4
b
a
m
GFbayx
(1001)
(0101)
(1110)
(0111)
(1111)
(1011)
(0100)
(0010)
(0001)
(1100)
(0110)
(0011)
(1101)
(1010)
(0000)
(1000)(0
000)
(001
1)
(011
0)
(110
0)
(000
1)
(001
0)
(010
0)
(100
0)
(111
1)
(011
1)
(111
0)
(010
1)
(101
0)
(110
1)
(100
1)
(101
1)
44Ortal Arazi – Research overview (second presentation)
Point by Scalar multiplication: Point by Scalar multiplication:
Q- point on the curve
K- scalar
k*Q=?Point by scalar multiplication
involvesPoint additions and multiplications of a
pint by 2
How do we multiply a point by 2?
How do we add two points?
These arithmetics involve calculations over the field GF(2m)
C=QFor i=2 to n C=2*C If k(i)=1 then C=C+Q
C= k*Q
Example: (k=1101, Q-point, n=4)13*Q=?K(2)=1, K(3)=0, K(4)=1,
C=Qi=2: C=2*Q C=2*Q+Q=3*Qi=3: C=2*3*Q=6*Qi=4: C=2*6*Q=12*Q C=12*Q+Q=13*Q
55Ortal Arazi – Research overview (second presentation)
Cryptocomplexity Analysis
The number of MIPS years it takes to compute an elliptic curve logarithm
MIPS: million of instructions per second. A MIPS computer performs about 240 elliptic curve additions per year
66Ortal Arazi – Research overview (second presentation)
Experimental results on the Experimental results on the TPR 2400CA TelosB motes:motes:
)GF(2 b a;
)GF(2 YX;160
163
(1)
)GF(2 b a;
)GF(2 YX;128
131
(2)The curves that we are using:
77Ortal Arazi – Research overview (second presentation)
Experimental results on the Experimental results on the TPR 2400CA TelosB motes:motes:
Time computed for establishing an online pairwise self-certified fixed and ephemeral key
88Ortal Arazi – Research overview (second presentation)
Fixed key Vs. Ephemeral keyFixed key Vs. Ephemeral key
Fixed keyFixed key::
The private key shared by a pair of nodes is constantThe private key shared by a pair of nodes is constant
Ephemeral keyEphemeral key::
The private key shared by the same pair of nodes The private key shared by the same pair of nodes changechange
Cluster ACluster A Cluster BCluster B
Offloading the calculations
99Ortal Arazi – Research overview (second presentation)
Scalar by Scalar MultiplicationScalar by Scalar Multiplication
All calculations over an Elliptic curve are modulo the order of the curve
For example: If the order of the curve is Ord G, then:
What is Ord G?A number in which multiplying G (a point ton the curve) by a scalar is periodic.i.e. when exceeding ordG you start from the beginning: 1×G = (ordG + 1)×G. s×P = (s mod ordG)×P.
OrdGbaba mod
What does all this have to do with WSN?
1010Ortal Arazi – Research overview (second presentation)
Self certified DH key generationSelf certified DH key generation
Node i Node j
In both Fixed and Ephemeral key generations,In both Fixed and Ephemeral key generations, each node needs to multiply 2 scalars mod ord each node needs to multiply 2 scalars mod ord G G
Fixed:Fixed: xxi i ** H(IDH(IDj j , , UUjj)) ** UUj j + + xxii RR
Ephemeral:Ephemeral: Pvi* Pvi* H(IDj , H(IDj , UjUj) * ) * Uj Uj ++ (xi+ Pvi) ((xi+ Pvi) (Evj Evj ++RR) - xi * ) - xi * RR
1111Ortal Arazi – Research overview (second presentation)
The Montgomery MultiplicationThe Montgomery Multiplication
xba 2
nba x mod2
xx 22
a
b
Montgomery(mod n)
X- number of bits in the scalar
Step (1)
Step (2)Montgomery
(mod n)nba mod
How do we achieve the multiplication ? nba mod
1212Ortal Arazi – Research overview (second presentation)
The Montgomery Multiplication (cont)The Montgomery Multiplication (cont)
s = 0for i = 0 to n-1
pqst i
00 )( rtu (r- a number obtained form the curve)
(u is the least significant coefficient of the value obtained from multiplying the least significant coefficient of t, by r.)
OrdGutv (the least significant coefficient of v is now 0)
162
vs
OrdGqps n mod2 16
(s is obtained by erasing the least significant coefficient of v)
if s = 164 (or 132) bits then s = s – OrdG
p
q 16161616 16 16
(128 or 160 bits)
(128 or 160 bits)
0 n-1
Ord G: 163 or 131 bits
1313Ortal Arazi – Research overview (second presentation)
The Montgomery Multiplication (cont)The Montgomery Multiplication (cont)
XXi, i, PviPvi
H(IDj , H(IDj , UjUj)) 16161616 16 16
0 n-1
Ord G: 163 or 131 bits
Type of key Type of key issued:issued:
On-line scalar On-line scalar multiplicationmultiplication
- What we need- What we need
After MontgomeryAfter Montgomery
- What we have- What we have
FixedFixed xi * H(IDj , xi * H(IDj , UjUj) Mod Ord G) Mod Ord G xi*H(IDj , xi*H(IDj , UjUj)*)*22-16n-16nMod Ord GMod Ord G
EphemeralEphemeral Pvi *Pvi * H(IDj , H(IDj , UjUj) Mod Ord G) Mod Ord G Pvi*H(IDj , Pvi*H(IDj , UjUj)*)*22-16n-16nMod Ord GMod Ord G
1414Ortal Arazi – Research overview (second presentation)
The Montgomery Multiplication (cont)The Montgomery Multiplication (cont)
How do we generateHow do we generate xi * H(IDj , xi * H(IDj , UjUj) Mod Ord G ) Mod Ord G instead of xi*H(IDj , instead of xi*H(IDj , UjUj)*)*22-16n-16nMod Ord G?Mod Ord G?
• use the Montgomery procedure again ?use the Montgomery procedure again ?Problem: using more resources (time, memory and energy)Problem: using more resources (time, memory and energy)
• Do not change it, change the calculations of the secrect key xDo not change it, change the calculations of the secrect key x ii!!
GxxG d] h )U,[H(ID x
]G d G h )U,[H(ID xR] U )U, [H(ID x
GxxG] d h )U, [H(ID x
G] d G h )U, [H(ID x R] U )U, [H(ID x
ijiiij
jiijiiij
jijjji
ijjijjji
1515Ortal Arazi – Research overview (second presentation)
The Montgomery Multiplication (cont)The Montgomery Multiplication (cont)
GxxG d] h )U,[H(ID x jijiij
d h )U,H(ID iii
ordGmod2h )U,H(ID -16niii
ordGmod2)U,H(IDx -16njji
Gx x R] U )U, [H(ID x jijjji
ordGmod2)U,H(IDx -16niij d h )U,H(ID jjj
ordGmod2h )U,H(ID -16njjj
Calculations of node i:
Calculations of node j:
1616Ortal Arazi – Research overview (second presentation)
Mathematical equations:Mathematical equations:
Gd)h2)U, H(ID(x
Gd xGh2)U, H(ID x R] U )U, [H(ID x
j16n-
jji
ij-16n
jjijjji
Calculations of node i:
jU R
jx
Gd)h2)U, H(ID(x
Gd xGh2)U, H(ID x R] U )U, [H(ID x
i16n-
iij
ji-16n
iijiiij
Calculations of node j:
iU R
ix
Gxx ji
Gxx ji
1717Ortal Arazi – Research overview (second presentation)
SummerySummery
Despite the elaborate calculations, Despite the elaborate calculations, point by scalar point by scalar multiplications is feasible on a WS motemultiplications is feasible on a WS moteCryptocomplexity Analysis shows that using ECC is highly desirable
Offloading Offloading will help in: will help in: gaining execution speed and gaining execution speed and better power distribution across the network better power distribution across the network The need for The need for scalar by scalar Multiplicationscalar by scalar Multiplication was introduced. was introduced.
The The Montgomery multiplicationMontgomery multiplication procedure was introduced procedure was introduced saving resources (energy, memory and time)saving resources (energy, memory and time)
Implementing the Implementing the Montgomery multiplication procedure Montgomery multiplication procedure only ONCEonly ONCE is feasible, hence saving more is feasible, hence saving more resources resources (energy, memory and time)(energy, memory and time)
1818Ortal Arazi – Research overview (second presentation)
Future directionsFuture directions
Finish the implementation of a self-certified DH key generationImplementation of a group key generationFault tolerance key exchange
Ensuring group key generation even if some of the nodes fail Probability of failure as a function of node density % of nodes without a group key (treated as malicious or
malfunctioned)
Reduction of the time it takes to calculate the shared keys by the pairs
a
b
cKKabab
KKbaba
KKacacKKcaca
1919Ortal Arazi – Research overview (second presentation)
Future directionsFuture directions
Self certified DH key exchange between cluster heads (within different clusters)
Using base stations to help with the calculations
Key exchange between nodes and the base station (taking into advantage the fact that the base station does not have computational problems)
Hijacking of nodes by malicious party (how do we establish a way to distinguish the attackers)
Mobile nodes
2020Ortal Arazi – Research overview (second presentation)
Questions?Questions?