skip to main content
10.1145/2508859.2516734acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article
Open access

Elligator: elliptic-curve points indistinguishable from uniform random strings

Published: 04 November 2013 Publication History
  • Get Citation Alerts
  • Abstract

    Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship-circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deep-packet inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits.
    This paper introduces high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings. At a lower level, this paper introduces a new bijection between strings and about half of all curve points; this bijection is applicable to every odd-characteristic elliptic curve with a point of order 2, except for curves of $j$-invariant 1728. This paper also presents guidelines to construct, and two examples of, secure curves suitable for these encodings.

    References

    [1]
    Appelbaum, J., and Dingledine, R. How governments have tried to block Tor, 2011. http://ftp.ccc.de/congress/28C3/mp4-h264-HQ/28c3--4800-en-how_governments_have_tried_to_block_tor_h264.mp4.
    [2]
    Apple. iOS security, 2012. http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf.
    [3]
    Bellare, M., Desai, A., Jokipii, E., and Rogaway, P. A concrete security treatment of symmetric encryption. In FOCS (1997), IEEE Computer Society, pp. 394--403.
    [4]
    Bernstein, D. J. Current consensus on ECC, 2001. https://groups.google.com/forum/message/raw?msg=sci.crypt/mu_paShEU3w/m491pYxHbtAJ.
    [5]
    Bernstein, D. J. A software implementation of NIST P-224, 2001. http://cr.yp.to/talks.html#2001.10.29.
    [6]
    Bernstein, D. J. Curve25519: New Diffie-Hellman speed records. In Public Key Cryptography (2006), M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, Eds., vol. 3958 of LNCS, Springer, pp. 207--228.
    [7]
    Bernstein, D. J., Birkner, P., Joye, M., Lange, T., and Peters, C. Twisted Edwards curves. In AFRICACRYPT (2008), S. Vaudenay, Ed., vol. 5023 of LNCS, Springer, pp. 389--405.
    [8]
    Bernstein, D. J., Duif, N., Lange, T., Schwabe, P., and Yang, B.-Y. High-speed high-security signatures. J. Cryptographic Engineering 2, 2 (2012), 77--89.
    [9]
    Bernstein, D. J., and Lange, T. Faster addition and doubling on elliptic curves. In ASIACRYPT (2007), K. Kurosawa, Ed., vol. 4833 of LNCS, Springer, pp. 29--50.
    [10]
    Bernstein, D. J., and Schwabe, P. NEON crypto. In CHES (2012), E. Prouff and P. Schaumont, Eds., vol. 7428 of LNCS, Springer, pp. 320--339.
    [11]
    Biehl, I., Meyer, B., and Müller, V. Differential fault attacks on elliptic curve cryptosystems. In CRYPTO (2000), M. Bellare, Ed., vol. 1880 of LNCS, Springer, pp. 131--146.
    [12]
    Boneh, D., and Franklin, M. K. Identity-based encryption from the Weil pairing. In CRYPTO (2001), J. Kilian, Ed., vol. 2139 of LNCS, Springer, pp. 213--229.
    [13]
    Boyd, C., Montague, P., and Nguyen, K. Q. Elliptic curve based password authenticated key exchange protocols. In ACISP (2001), V. Varadharajan and Y. Mu, Eds., vol. 2119 of LNCS, Springer, pp. 487--501.
    [14]
    Brainpool. ECC Brainpool standard curves and curve generation, v. 1.0, 2005. http://www.ecc-brainpool.org/download/Domain-parameters.pdf.
    [15]
    Brier, E., Coron, J.-S., Icart, T., Madore, D., Randriam, H., and Tibouchi, M. Efficient indifferentiable hashing into ordinary elliptic curves. In CRYPTO (2010), T. Rabin, Ed., vol. 6223 of LNCS, Springer, pp. 237--254.
    [16]
    Brier, E., and Joye, M. Weierstraß elliptic curves and side-channel attacks. In Public Key Cryptography (2002), D. Naccache and P. Paillier, Eds., vol. 2274 of LNCS, Springer, pp. 335--345.
    [17]
    Costigan, N., and Schwabe, P. Fast elliptic-curve cryptography on the Cell Broadband Engine. In AFRICACRYPT (2009), B. Preneel, Ed., vol. 5580 of LNCS, Springer, pp. 368--385.
    [18]
    Diem, C. The GHS attack in odd characteristic. J. Ramanujan Mathematical Society 18 (2003), 1--32.
    [19]
    Dingledine, R., Mathewson, N., and Syverson, P. F. Tor: The second-generation onion router. In USENIX Security Symposium (2004), USENIX, pp. 303--320.
    [20]
    Farashahi, R. R. Hashing into Hessian curves. In AFRICACRYPT (2011), A. Nitaj and D. Pointcheval, Eds., vol. 6737 of LNCS, Springer, pp. 278--289.
    [21]
    Farashahi, R. R., Fouque, P.-A., Shparlinski, I., Tibouchi, M., and Voloch, J. F. Indifferentiable deterministic hashing to elliptic and hyperelliptic curves. Math. Comput. 82, 281 (2013).
    [22]
    Faugère, J.-C., Perret, L., Petit, C., and Renault, G. Improving the complexity of index calculus algorithms in elliptic curves over binary fields. In EUROCRYPT (2012), D. Pointcheval and T. Johansson, Eds., vol. 7237 of LNCS, Springer, pp. 27--44.
    [23]
    Fouque, P.-A., Joux, A., and Tibouchi, M. Injective encodings to elliptic curves. In ACISP (2013), C. Boyd and L. Simpson, Eds., vol. 7959 of LNCS, Springer, pp. 203--218.
    [24]
    Fouque, P.-A., Lercier, R., Réal, D., and Valette, F. Fault attack on elliptic curve Montgomery ladder implementation. In FDTC (2008), L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert, Eds., IEEE Computer Society, pp. 92--98.
    [25]
    Fouque, P.-A., and Tibouchi, M. Deterministic encoding and hashing to odd hyperelliptic curves. In Pairing (2010), M. Joye, A. Miyaji, and A. Otsuka, Eds., vol. 6487 of LNCS, Springer, pp. 265--277.
    [26]
    Fouque, P.-A., and Tibouchi, M. Estimating the size of the image of deterministic hash functions to elliptic curves. In LATINCRYPT (2010), M. Abdalla and P. S. L. M. Barreto, Eds., vol. 6212 of LNCS, Springer, pp. 81--91.
    [27]
    Fouque, P.-A., and Tibouchi, M. Indifferentiable hashing to Barreto-Naehrig curves. In LATINCRYPT (2012), A. Hevia and G. Neven, Eds., vol. 7533 of LNCS, Springer, pp. 1--17.
    [28]
    Frey, G. How to disguise an elliptic curve (Weil descent), 1998. http://www.cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html.
    [29]
    Gaudry, P., and Thomé, E. The mpFq library and implementing curve-based key exchanges. In SPEED: software performance enhancement for encryption and decryption (2007), pp. 49--64.
    [30]
    Goldberg, I., Stebila, D., and Ustaoglu, B. Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptography 67, 2 (2013), 245--269.
    [31]
    Hisil, H., Wong, K. K.-H., Carter, G., and Dawson, E. Twisted Edwards curves revisited. In ASIACRYPT (2008), J. Pieprzyk, Ed., vol. 5350 of LNCS, Springer, pp. 326--343.
    [32]
    Icart, T. How to hash into elliptic curves. In CRYPTO (2009), S. Halevi, Ed., vol. 5677 of LNCS, Springer, pp. 303--316.
    [33]
    Institute of Electrical and Electronics Engineers. P1363 Draft Standard Specifications for Public Key Cryptography. IEEE, 1999.
    [34]
    Izu, T., and Takagi, T. Exceptional procedure attack on elliptic curve cryptosystems. In Public Key Cryptography (2003), Y. Desmedt, Ed., vol. 2567 of LNCS, Springer, pp. 224--239.
    [35]
    Kaliski Jr., B. S. A pseudo-random bit generator based on elliptic logarithms. In CRYPTO (1986), A. M. Odlyzko, Ed., vol. 263 of LNCS, Springer, pp. 84--103.
    [36]
    Kaliski Jr., B. S. Elliptic Curves and Cryptography: A Pseudorandom Bit Generator and Other Tools. PhD thesis, MIT, 1988. MIT/LCS/TR-411.
    [37]
    Law, L. E., and Solinas, J. A. Suite B cryptographic suites for IPsec, 2011. https://tools.ietf.org/html/rfc6379.
    [38]
    Lidl, R., and Niederreiter, H. Finite Fields. Encyclopedia of Mathematics and its Applications. Cambridge University Press, 1997.
    [39]
    López, J., and Dahab, R. Fast multiplication on elliptic curves over GF(2$^\mboxm$) without precomputation. In CHES (1999), Ç. K. Koç and C. Paar, Eds., vol. 1717 of LNCS, Springer, pp. 316--327.
    [40]
    Möller, B. A public-key encryption scheme with pseudo-random ciphertexts. In Computer Security--ESORICS 2004, P. Samarati, P. Ryan, D. Gollmann, and R. Molva, Eds., vol. 3193 of LNCS. Springer Berlin Heidelberg, 2004, pp. 335--351.
    [41]
    Montgomery, P. L. Speeding the Pollard and elliptic curve methods of factorization. Math. Comp. 48, 177 (1987), 243--264.
    [42]
    Oliveira, T., López, J., Aranha, D. F., and Rodríguez-Henríquez, F. Lambda coordinates for binary elliptic curves. In CHES (2013), G. Bertoni and J.-S. Coron, Eds., vol. 8086 of LNCS, Springer, pp. 311--330.
    [43]
    Petit, C., and Quisquater, J.-J. On polynomial systems arising from a Weil descent. In ASIACRYPT (2012), X. Wang and K. Sako, Eds., vol. 7658 of LNCS, Springer, pp. 451--466.
    [44]
    Rogaway, P., and Shrimpton, T. A provable-security treatment of the key-wrap problem. In EUROCRYPT (2006), S. Vaudenay, Ed., vol. 4004 of LNCS, Springer, pp. 373--390.
    [45]
    Shallue, A., and van de Woestijne, C. Construction of rational points on elliptic curves over finite fields. In ANTS (2006), F. Hess, S. Pauli, and M. E. Pohst, Eds., vol. 4076 of LNCS, Springer, pp. 510--524.
    [46]
    Stein, W., et al. Sage Mathematics Software (Version 2.9). The Sage Development Team, 2013. http://www.sagemath.org.
    [47]
    Weinberg, Z., Wang, J., Yegneswaran, V., Briesemeister, L., Cheung, S., Wang, F., and Boneh, D. StegoTorus: a camouflage proxy for the Tor anonymity system. In ACM Conference on Computer and Communications Security (2012), T. Yu, G. Danezis, and V. D. Gligor, Eds., ACM, pp. 109--120.
    [48]
    Wustrow, E., Wolchok, S., Goldberg, I., and Halderman, J. A. Telex: Anticensorship in the network infrastructure. In USENIX Security Symposium (2011), USENIX Association.
    [49]
    Young, A. L., and Yung, M. Kleptography from standard assumptions and applications. In SCN (2010), J. A. Garay and R. D. Prisco, Eds., vol. 6280 of LNCS, Springer, pp. 271--290.

    Cited By

    View all
    • (2024)Provably Secure Public-Key Steganography Based on Elliptic Curve CryptographyIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.336121919(3148-3163)Online publication date: 2024
    • (2024)Compressed M-SIDH: an instance of compressed SIDH-like schemes with isogenies of highly composite degreesDesigns, Codes and Cryptography10.1007/s10623-024-01368-z92:6(1823-1843)Online publication date: 5-Mar-2024
    • (2023)Practical and Malicious Multiparty Private Set Intersection for Small SetsElectronics10.3390/electronics1223485112:23(4851)Online publication date: 30-Nov-2023
    • Show More Cited By

    Index Terms

    1. Elligator: elliptic-curve points indistinguishable from uniform random strings

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
      November 2013
      1530 pages
      ISBN:9781450324779
      DOI:10.1145/2508859
      Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 04 November 2013

      Check for updates

      Author Tags

      1. censorship circumvention
      2. elliptic curves
      3. injective maps

      Qualifiers

      • Research-article

      Conference

      CCS'13
      Sponsor:

      Acceptance Rates

      CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;
      Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

      Upcoming Conference

      CCS '24
      ACM SIGSAC Conference on Computer and Communications Security
      October 14 - 18, 2024
      Salt Lake City , UT , USA

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)352
      • Downloads (Last 6 weeks)65

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Provably Secure Public-Key Steganography Based on Elliptic Curve CryptographyIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.336121919(3148-3163)Online publication date: 2024
      • (2024)Compressed M-SIDH: an instance of compressed SIDH-like schemes with isogenies of highly composite degreesDesigns, Codes and Cryptography10.1007/s10623-024-01368-z92:6(1823-1843)Online publication date: 5-Mar-2024
      • (2023)Practical and Malicious Multiparty Private Set Intersection for Small SetsElectronics10.3390/electronics1223485112:23(4851)Online publication date: 30-Nov-2023
      • (2023)Toward Privacy-Preserving Directly Contactable Symptom-Matching Scheme for IoT DevicesElectronics10.3390/electronics1207164112:7(1641)Online publication date: 30-Mar-2023
      • (2023)Applying a Zero-Knowledge Watermarking Protocol to Secure ElectionsProceedings of the 2023 ACM Workshop on Information Hiding and Multimedia Security10.1145/3577163.3595099(115-120)Online publication date: 28-Jun-2023
      • (2023)Stealth Key Exchange and Confined Access to the Record Protocol Data in TLS 1.3Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623099(2901-2914)Online publication date: 15-Nov-2023
      • (2023)A review of mathematical and computational aspects of CSIDH algorithmsJournal of Algebra and Its Applications10.1142/S021949882530002823:07Online publication date: 3-Nov-2023
      • (2023)Practical Usage of Radical Isogenies for CSIDHIEEE Access10.1109/ACCESS.2023.327254911(44391-44401)Online publication date: 2023
      • (2023)How to construct CSIDH on Edwards curvesFinite Fields and Their Applications10.1016/j.ffa.2023.10231092:COnline publication date: 1-Dec-2023
      • (2023)Efficient multi-party private set intersection protocols for large participants and small setsComputer Standards & Interfaces10.1016/j.csi.2023.10376487:COnline publication date: 17-Oct-2023
      • Show More Cited By

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Get Access

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media