Elligator: elliptic-curve points indistinguishable from uniform random strings

Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship-circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deep-packet inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits. This paper introduces high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings. At a lower level, this paper introduces a new bijection between strings and about half of all curve points; this bijection is applicable to every odd-characteristic elliptic curve with a point of order 2, except for curves of $j$-invariant 1728. This paper also presents guidelines to construct, and two examples of, secure curves suitable for these encodings.

[1]  Thomas Icart,et al.  How to Hash into Elliptic Curves , 2009, IACR Cryptol. ePrint Arch..

[2]  Burton S. Kaliski,et al.  Elliptic curves and cryptography: a pseudorandom bit generator and other tools , 1988 .

[3]  C. Diem The GHS-attack in odd characteristic , 2003 .

[4]  Marc Joye,et al.  Weierstraß Elliptic Curves and Side-Channel Attacks , 2002, Public Key Cryptography.

[5]  Igor E. Shparlinski,et al.  Indifferentiable deterministic hashing to elliptic and hyperelliptic curves , 2012, Math. Comput..

[6]  Tanja Lange,et al.  Twisted Edwards Curves , 2008, AFRICACRYPT.

[7]  T. Takagi,et al.  Exceptional Procedure Attackon Elliptic Curve Cryptosystems , 2003 .

[8]  Bodo Möller,et al.  A Public-Key Encryption Scheme with Pseudo-random Ciphertexts , 2004, ESORICS.

[9]  Antoine Joux,et al.  Injective Encodings to Elliptic Curves , 2013, ACISP.

[10]  Francisco Rodríguez-Henríquez,et al.  Two is the fastest prime , 2013, IACR Cryptol. ePrint Arch..

[11]  Ed Dawson,et al.  Twisted Edwards Curves Revisited , 2008, IACR Cryptol. ePrint Arch..

[12]  P. L. Montgomery Speeding the Pollard and elliptic curve methods of factorization , 1987 .

[13]  Colin Boyd,et al.  Elliptic Curve Based Password Authenticated Key Exchange Protocols , 2001, ACISP.

[14]  Moti Yung,et al.  Kleptography from Standard Assumptions and Applications , 2010, SCN.

[15]  Mehdi Tibouchi,et al.  Deterministic Encoding and Hashing to Odd Hyperelliptic Curves , 2010, Pairing.

[16]  Rudolf Lide,et al.  Finite fields , 1983 .

[17]  Burton S. Kaliski,et al.  A Pseudo-Random Bit Generator Based on Elliptic Logarithms , 1986, CRYPTO.

[18]  Ricardo Dahab,et al.  Fast Multiplication on Elliptic Curves over GF(2m) without Precomputation , 1999, CHES.

[19]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[20]  Ian Goldberg,et al.  Telex: Anticensorship in the Network Infrastructure , 2011, USENIX Security Symposium.

[21]  Reza Rezaeian Farashahi,et al.  Hashing into Hessian curves , 2011, Int. J. Appl. Cryptogr..

[22]  Jerome A. Solinas,et al.  Suite B Cryptographic Suites for IPsec , 2007, RFC.

[23]  Tanja Lange,et al.  High-speed high-security signatures , 2011, Journal of Cryptographic Engineering.

[24]  Mehdi Tibouchi,et al.  Indifferentiable Hashing to Barreto-Naehrig Curves , 2012, LATINCRYPT.

[25]  Thomas Shrimpton,et al.  Deterministic Authenticated-Encryption: A Provable-Security Treatment of the Key-Wrap Problem , 2006, IACR Cryptol. ePrint Arch..

[26]  Peter Schwabe,et al.  NEON Crypto , 2012, CHES.

[27]  Jean-Jacques Quisquater,et al.  On Polynomial Systems Arising from a Weil Descent , 2012, ASIACRYPT.

[28]  Jean-Charles Faugère,et al.  Improving the Complexity of Index Calculus Algorithms in Elliptic Curves over Binary Fields , 2012, EUROCRYPT.

[29]  Pierrick Gaudry,et al.  The mpFq library and implementing curve-based key exchanges , 2007 .

[30]  Christiaan E. van de Woestijne,et al.  Construction of Rational Points on Elliptic Curves over Finite Fields , 2006, ANTS.

[31]  H. Niederreiter,et al.  Finite Fields: Encyclopedia of Mathematics and Its Applications. , 1997 .

[32]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[33]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[34]  Vinod Yegneswaran,et al.  StegoTorus: a camouflage proxy for the Tor anonymity system , 2012, CCS.

[35]  Tsuyoshi Takagi,et al.  Exceptional Procedure Attack on Elliptic Curve Cryptosystems , 2003, Public Key Cryptography.

[36]  Ian Goldberg,et al.  Anonymity and one-way authentication in key exchange protocols , 2012, Designs, Codes and Cryptography.

[37]  Denis Réal,et al.  Fault Attack on Elliptic Curve Montgomery Ladder Implementation , 2008, 2008 5th Workshop on Fault Diagnosis and Tolerance in Cryptography.

[38]  Bernd Meyer,et al.  Differential Fault Attacks on Elliptic Curve Cryptosystems , 2000, CRYPTO.

[39]  Tanja Lange,et al.  Faster Addition and Doubling on Elliptic Curves , 2007, ASIACRYPT.

[40]  Daniel J. Bernstein,et al.  Curve25519: New Diffie-Hellman Speed Records , 2006, Public Key Cryptography.

[41]  Peter Schwabe,et al.  Fast Elliptic-Curve Cryptography on the Cell Broadband Engine , 2009, AFRICACRYPT.

[42]  Mehdi Tibouchi,et al.  Estimating the Size of the Image of Deterministic Hash Functions to Elliptic Curves , 2010, LATINCRYPT.

[43]  Jean-Sébastien Coron,et al.  Efficient Indifferentiable Hashing into Ordinary Elliptic Curves , 2010, CRYPTO.

[44]  Francisco Rodríguez-Henríquez,et al.  Lambda Coordinates for Binary Elliptic Curves , 2013, CHES.

[45]  Johannes Merkle,et al.  Elliptic Curve Cryptography (ecc) Brainpool Standard Curves and Curve Generation , 2010 .