research-article

Open access

Elligator: elliptic-curve points indistinguishable from uniform random strings

Authors:

Daniel J. Bernstein,

Anna Krasnova, and

Tanja LangeAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

Pages 967 - 980

https://doi.org/10.1145/2508859.2516734

Published: 04 November 2013 Publication History

Abstract

Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship-circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deep-packet inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits.

This paper introduces high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings. At a lower level, this paper introduces a new bijection between strings and about half of all curve points; this bijection is applicable to every odd-characteristic elliptic curve with a point of order 2, except for curves of $j$-invariant 1728. This paper also presents guidelines to construct, and two examples of, secure curves suitable for these encodings.

References

[1]

Appelbaum, J., and Dingledine, R. How governments have tried to block Tor, 2011. http://ftp.ccc.de/congress/28C3/mp4-h264-HQ/28c3--4800-en-how_governments_have_tried_to_block_tor_h264.mp4.

[2]

Apple. iOS security, 2012. http://images.apple.com/iphone/business/docs/iOS_Security_Oct12.pdf.

[3]

Bellare, M., Desai, A., Jokipii, E., and Rogaway, P. A concrete security treatment of symmetric encryption. In FOCS (1997), IEEE Computer Society, pp. 394--403.

Digital Library

[4]

Bernstein, D. J. Current consensus on ECC, 2001. https://groups.google.com/forum/message/raw?msg=sci.crypt/mu_paShEU3w/m491pYxHbtAJ.

[5]

Bernstein, D. J. A software implementation of NIST P-224, 2001. http://cr.yp.to/talks.html#2001.10.29.

[6]

Bernstein, D. J. Curve25519: New Diffie-Hellman speed records. In Public Key Cryptography (2006), M. Yung, Y. Dodis, A. Kiayias, and T. Malkin, Eds., vol. 3958 of LNCS, Springer, pp. 207--228.

Digital Library

[7]

Bernstein, D. J., Birkner, P., Joye, M., Lange, T., and Peters, C. Twisted Edwards curves. In AFRICACRYPT (2008), S. Vaudenay, Ed., vol. 5023 of LNCS, Springer, pp. 389--405.

Digital Library

[8]

Bernstein, D. J., Duif, N., Lange, T., Schwabe, P., and Yang, B.-Y. High-speed high-security signatures. J. Cryptographic Engineering 2, 2 (2012), 77--89.

[9]

Bernstein, D. J., and Lange, T. Faster addition and doubling on elliptic curves. In ASIACRYPT (2007), K. Kurosawa, Ed., vol. 4833 of LNCS, Springer, pp. 29--50.

Digital Library

[10]

Bernstein, D. J., and Schwabe, P. NEON crypto. In CHES (2012), E. Prouff and P. Schaumont, Eds., vol. 7428 of LNCS, Springer, pp. 320--339.

Digital Library

[11]

Biehl, I., Meyer, B., and Müller, V. Differential fault attacks on elliptic curve cryptosystems. In CRYPTO (2000), M. Bellare, Ed., vol. 1880 of LNCS, Springer, pp. 131--146.

Digital Library

[12]

Boneh, D., and Franklin, M. K. Identity-based encryption from the Weil pairing. In CRYPTO (2001), J. Kilian, Ed., vol. 2139 of LNCS, Springer, pp. 213--229.

Digital Library

[13]

Boyd, C., Montague, P., and Nguyen, K. Q. Elliptic curve based password authenticated key exchange protocols. In ACISP (2001), V. Varadharajan and Y. Mu, Eds., vol. 2119 of LNCS, Springer, pp. 487--501.

Digital Library

[14]

Brainpool. ECC Brainpool standard curves and curve generation, v. 1.0, 2005. http://www.ecc-brainpool.org/download/Domain-parameters.pdf.

[15]

Brier, E., Coron, J.-S., Icart, T., Madore, D., Randriam, H., and Tibouchi, M. Efficient indifferentiable hashing into ordinary elliptic curves. In CRYPTO (2010), T. Rabin, Ed., vol. 6223 of LNCS, Springer, pp. 237--254.

Digital Library

[16]

Brier, E., and Joye, M. Weierstraß elliptic curves and side-channel attacks. In Public Key Cryptography (2002), D. Naccache and P. Paillier, Eds., vol. 2274 of LNCS, Springer, pp. 335--345.

Digital Library

[17]

Costigan, N., and Schwabe, P. Fast elliptic-curve cryptography on the Cell Broadband Engine. In AFRICACRYPT (2009), B. Preneel, Ed., vol. 5580 of LNCS, Springer, pp. 368--385.

Digital Library

[18]

Diem, C. The GHS attack in odd characteristic. J. Ramanujan Mathematical Society 18 (2003), 1--32.

[19]

Dingledine, R., Mathewson, N., and Syverson, P. F. Tor: The second-generation onion router. In USENIX Security Symposium (2004), USENIX, pp. 303--320.

Digital Library

[20]

Farashahi, R. R. Hashing into Hessian curves. In AFRICACRYPT (2011), A. Nitaj and D. Pointcheval, Eds., vol. 6737 of LNCS, Springer, pp. 278--289.

Digital Library

[21]

Farashahi, R. R., Fouque, P.-A., Shparlinski, I., Tibouchi, M., and Voloch, J. F. Indifferentiable deterministic hashing to elliptic and hyperelliptic curves. Math. Comput. 82, 281 (2013).

[22]

Faugère, J.-C., Perret, L., Petit, C., and Renault, G. Improving the complexity of index calculus algorithms in elliptic curves over binary fields. In EUROCRYPT (2012), D. Pointcheval and T. Johansson, Eds., vol. 7237 of LNCS, Springer, pp. 27--44.

Digital Library

[23]

Fouque, P.-A., Joux, A., and Tibouchi, M. Injective encodings to elliptic curves. In ACISP (2013), C. Boyd and L. Simpson, Eds., vol. 7959 of LNCS, Springer, pp. 203--218.

[24]

Fouque, P.-A., Lercier, R., Réal, D., and Valette, F. Fault attack on elliptic curve Montgomery ladder implementation. In FDTC (2008), L. Breveglieri, S. Gueron, I. Koren, D. Naccache, and J.-P. Seifert, Eds., IEEE Computer Society, pp. 92--98.

Digital Library

[25]

Fouque, P.-A., and Tibouchi, M. Deterministic encoding and hashing to odd hyperelliptic curves. In Pairing (2010), M. Joye, A. Miyaji, and A. Otsuka, Eds., vol. 6487 of LNCS, Springer, pp. 265--277.

Digital Library

[26]

Fouque, P.-A., and Tibouchi, M. Estimating the size of the image of deterministic hash functions to elliptic curves. In LATINCRYPT (2010), M. Abdalla and P. S. L. M. Barreto, Eds., vol. 6212 of LNCS, Springer, pp. 81--91.

Digital Library

[27]

Fouque, P.-A., and Tibouchi, M. Indifferentiable hashing to Barreto-Naehrig curves. In LATINCRYPT (2012), A. Hevia and G. Neven, Eds., vol. 7533 of LNCS, Springer, pp. 1--17.

Digital Library

[28]

Frey, G. How to disguise an elliptic curve (Weil descent), 1998. http://www.cacr.math.uwaterloo.ca/conferences/1998/ecc98/slides.html.

[29]

Gaudry, P., and Thomé, E. The mpFq library and implementing curve-based key exchanges. In SPEED: software performance enhancement for encryption and decryption (2007), pp. 49--64.

[30]

Goldberg, I., Stebila, D., and Ustaoglu, B. Anonymity and one-way authentication in key exchange protocols. Des. Codes Cryptography 67, 2 (2013), 245--269.

Digital Library

[31]

Hisil, H., Wong, K. K.-H., Carter, G., and Dawson, E. Twisted Edwards curves revisited. In ASIACRYPT (2008), J. Pieprzyk, Ed., vol. 5350 of LNCS, Springer, pp. 326--343.

Digital Library

[32]

Icart, T. How to hash into elliptic curves. In CRYPTO (2009), S. Halevi, Ed., vol. 5677 of LNCS, Springer, pp. 303--316.

Digital Library

[33]

Institute of Electrical and Electronics Engineers. P1363 Draft Standard Specifications for Public Key Cryptography. IEEE, 1999.

[34]

Izu, T., and Takagi, T. Exceptional procedure attack on elliptic curve cryptosystems. In Public Key Cryptography (2003), Y. Desmedt, Ed., vol. 2567 of LNCS, Springer, pp. 224--239.

Digital Library

[35]

Kaliski Jr., B. S. A pseudo-random bit generator based on elliptic logarithms. In CRYPTO (1986), A. M. Odlyzko, Ed., vol. 263 of LNCS, Springer, pp. 84--103.

Digital Library

[36]

Kaliski Jr., B. S. Elliptic Curves and Cryptography: A Pseudorandom Bit Generator and Other Tools. PhD thesis, MIT, 1988. MIT/LCS/TR-411.

[37]

Law, L. E., and Solinas, J. A. Suite B cryptographic suites for IPsec, 2011. https://tools.ietf.org/html/rfc6379.

[38]

Lidl, R., and Niederreiter, H. Finite Fields. Encyclopedia of Mathematics and its Applications. Cambridge University Press, 1997.

Digital Library

[39]

López, J., and Dahab, R. Fast multiplication on elliptic curves over GF(2$^\mboxm$) without precomputation. In CHES (1999), Ç. K. Koç and C. Paar, Eds., vol. 1717 of LNCS, Springer, pp. 316--327.

Digital Library

[40]

Möller, B. A public-key encryption scheme with pseudo-random ciphertexts. In Computer Security--ESORICS 2004, P. Samarati, P. Ryan, D. Gollmann, and R. Molva, Eds., vol. 3193 of LNCS. Springer Berlin Heidelberg, 2004, pp. 335--351.

[41]

Montgomery, P. L. Speeding the Pollard and elliptic curve methods of factorization. Math. Comp. 48, 177 (1987), 243--264.

[42]

Oliveira, T., López, J., Aranha, D. F., and Rodríguez-Henríquez, F. Lambda coordinates for binary elliptic curves. In CHES (2013), G. Bertoni and J.-S. Coron, Eds., vol. 8086 of LNCS, Springer, pp. 311--330.

Digital Library

[43]

Petit, C., and Quisquater, J.-J. On polynomial systems arising from a Weil descent. In ASIACRYPT (2012), X. Wang and K. Sako, Eds., vol. 7658 of LNCS, Springer, pp. 451--466.

Digital Library

[44]

Rogaway, P., and Shrimpton, T. A provable-security treatment of the key-wrap problem. In EUROCRYPT (2006), S. Vaudenay, Ed., vol. 4004 of LNCS, Springer, pp. 373--390.

Digital Library

[45]

Shallue, A., and van de Woestijne, C. Construction of rational points on elliptic curves over finite fields. In ANTS (2006), F. Hess, S. Pauli, and M. E. Pohst, Eds., vol. 4076 of LNCS, Springer, pp. 510--524.

Digital Library

[46]

Stein, W., et al. Sage Mathematics Software (Version 2.9). The Sage Development Team, 2013. http://www.sagemath.org.

[47]

Weinberg, Z., Wang, J., Yegneswaran, V., Briesemeister, L., Cheung, S., Wang, F., and Boneh, D. StegoTorus: a camouflage proxy for the Tor anonymity system. In ACM Conference on Computer and Communications Security (2012), T. Yu, G. Danezis, and V. D. Gligor, Eds., ACM, pp. 109--120.

Digital Library

[48]

Wustrow, E., Wolchok, S., Goldberg, I., and Halderman, J. A. Telex: Anticensorship in the network infrastructure. In USENIX Security Symposium (2011), USENIX Association.

Digital Library

[49]

Young, A. L., and Yung, M. Kleptography from standard assumptions and applications. In SCN (2010), J. A. Garay and R. D. Prisco, Eds., vol. 6280 of LNCS, Springer, pp. 271--290.

Digital Library

Cited By

Zhang XChen KDing JYang YZhang WYu N(2024)Provably Secure Public-Key Steganography Based on Elliptic Curve CryptographyIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.336121919(3148-3163)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3361219
Lin KLin JCai SWang WZhao C(2024)Compressed M-SIDH: an instance of compressed SIDH-like schemes with isogenies of highly composite degreesDesigns, Codes and Cryptography10.1007/s10623-024-01368-z92:6(1823-1843)Online publication date: 5-Mar-2024
https://doi.org/10.1007/s10623-024-01368-z
Zhou JLiu ZWang LZhao CLiu ZZhou L(2023)Practical and Malicious Multiparty Private Set Intersection for Small SetsElectronics10.3390/electronics1223485112:23(4851)Online publication date: 30-Nov-2023
https://doi.org/10.3390/electronics12234851
Show More Cited By

Index Terms

Elligator: elliptic-curve points indistinguishable from uniform random strings
1. Security and privacy
  1. Cryptography
    1. Public key (asymmetric) techniques
      1. Public key encryption

Recommendations

Computing projective equivalences of planar curves birationally equivalent to elliptic and hyperelliptic curves▪
Abstract
We present algorithms to find the projective equivalences between two planar curves, birationally equivalent to either elliptic or hyperelliptic curves. The main idea, in both cases, is to find first a corresponding birational mapping ...
Graphical abstract
Highlights
- Projective equivalences between planar curves birationally equivalent to elliptic or hyperelliptic curves
Read More
Four-Dimensional GLV via the Weil Restriction
Part I of the Proceedings of the 19th International Conference on Advances in Cryptology - ASIACRYPT 2013 - Volume 8269

The Gallant-Lambert-Vanstone GLV algorithm uses efficiently computable endomorphisms to accelerate the computation of scalar multiplication of points on an abelian variety. Freeman and Satoh proposed for cryptographic use two families of genus 2 curves ...
Read More
A note on the Ate pairing

The Ate pairing has been suggested since it can be computed efficiently on ordinary elliptic curves with small values of the traces of Frobenius t. However, not all pairing-friendly elliptic curves have this property. In this paper, we generalize the ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

103
Total Citations
View Citations
1,628
Total Downloads

Downloads (Last 12 months)352
Downloads (Last 6 weeks)65

Other Metrics

View Author Metrics

Citations

Cited By

Zhang XChen KDing JYang YZhang WYu N(2024)Provably Secure Public-Key Steganography Based on Elliptic Curve CryptographyIEEE Transactions on Information Forensics and Security10.1109/TIFS.2024.336121919(3148-3163)Online publication date: 2024
https://doi.org/10.1109/TIFS.2024.3361219
Lin KLin JCai SWang WZhao C(2024)Compressed M-SIDH: an instance of compressed SIDH-like schemes with isogenies of highly composite degreesDesigns, Codes and Cryptography10.1007/s10623-024-01368-z92:6(1823-1843)Online publication date: 5-Mar-2024
https://doi.org/10.1007/s10623-024-01368-z
Zhou JLiu ZWang LZhao CLiu ZZhou L(2023)Practical and Malicious Multiparty Private Set Intersection for Small SetsElectronics10.3390/electronics1223485112:23(4851)Online publication date: 30-Nov-2023
https://doi.org/10.3390/electronics12234851
Guo RZhu JCai MHe WYang Q(2023)Toward Privacy-Preserving Directly Contactable Symptom-Matching Scheme for IoT DevicesElectronics10.3390/electronics1207164112:7(1641)Online publication date: 30-Mar-2023
https://doi.org/10.3390/electronics12071641
Craver SRosbrook NMoreira DBharati APasquini CYousfi Y(2023)Applying a Zero-Knowledge Watermarking Protocol to Secure ElectionsProceedings of the 2023 ACM Workshop on Information Hiding and Multimedia Security10.1145/3577163.3595099(115-120)Online publication date: 28-Jun-2023
https://dl.acm.org/doi/10.1145/3577163.3595099
Fischlin MMeng WJensen CCremers CKirda E(2023)Stealth Key Exchange and Confined Access to the Record Protocol Data in TLS 1.3Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623099(2901-2914)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623099
Maino LMula MPintore F(2023)A review of mathematical and computational aspects of CSIDH algorithmsJournal of Algebra and Its Applications10.1142/S021949882530002823:07Online publication date: 3-Nov-2023
https://doi.org/10.1142/S0219498825300028
Heo DKim SHong S(2023)Practical Usage of Radical Isogenies for CSIDHIEEE Access10.1109/ACCESS.2023.327254911(44391-44401)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3272549
Moriya TOnuki HTakagi T(2023)How to construct CSIDH on Edwards curvesFinite Fields and Their Applications10.1016/j.ffa.2023.10231092:COnline publication date: 1-Dec-2023
https://dl.acm.org/doi/10.1016/j.ffa.2023.102310
Wei LLiu JZhang LWang QZhang WQian X(2023)Efficient multi-party private set intersection protocols for large participants and small setsComputer Standards & Interfaces10.1016/j.csi.2023.10376487:COnline publication date: 17-Oct-2023
https://dl.acm.org/doi/10.1016/j.csi.2023.103764
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents