Elligator : elliptic-curve points indistinguishable from uniform random strings

D.J. Bernstein; M. Hamburg; A. Krasnova; T. Lange

doi:10.1145/2508859.2516734

Elligator : elliptic-curve points indistinguishable from uniform random strings

D.J. Bernstein, M. Hamburg, A. Krasnova, T. Lange

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

57 Citations (Scopus)

Abstract

Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship-circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deep-packet inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits. This paper introduces high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings. At a lower level, this paper introduces a new bijection between strings and about half of all curve points; this bijection is applicable to every odd-characteristic elliptic curve with a point of order 2, except for curves of $j$-invariant 1728. This paper also presents guidelines to construct, and two examples of, secure curves suitable for these encodings.

Original language	English
Title of host publication	2013 ACM SIGSAC Conference on Computer and Communications Security (CCS'13, Berlin, Germany, November 4-8, 2013)
Editors	A.-R. Sadeghi, V.D. Gligor, M. Yung
Place of Publication	New York
Publisher	Association for Computing Machinery, Inc
Pages	967-979
ISBN (Print)	978-1-4503-2477-9
DOIs	https://doi.org/10.1145/2508859.2516734
Publication status	Published - 2013
Event	conference; 20th ACM SIGSAC Conference on Computer and Communications Security; 2013-11-04; 2013-11-08 - Duration: 4 Nov 2013 → 8 Nov 2013

Conference

Conference	conference; 20th ACM SIGSAC Conference on Computer and Communications Security; 2013-11-04; 2013-11-08
Period	4/11/13 → 8/11/13
Other	20th ACM SIGSAC Conference on Computer and Communications Security

Access to Document

10.1145/2508859.2516734

Fingerprint Dive into the research topics of 'Elligator : elliptic-curve points indistinguishable from uniform random strings'. Together they form a unique fingerprint.

Cite this

Bernstein, D. J., Hamburg, M., Krasnova, A., & Lange, T. (2013). Elligator : elliptic-curve points indistinguishable from uniform random strings. In A-R. Sadeghi, V. D. Gligor, & M. Yung (Eds.), 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS'13, Berlin, Germany, November 4-8, 2013) (pp. 967-979). Association for Computing Machinery, Inc. https://doi.org/10.1145/2508859.2516734

Bernstein, D.J. ; Hamburg, M. ; Krasnova, A. ; Lange, T. / Elligator : elliptic-curve points indistinguishable from uniform random strings. 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS'13, Berlin, Germany, November 4-8, 2013). editor / A.-R. Sadeghi ; V.D. Gligor ; M. Yung. New York : Association for Computing Machinery, Inc, 2013. pp. 967-979

@inproceedings{2adf58de260242d08386845028075848,

title = "Elligator : elliptic-curve points indistinguishable from uniform random strings",

abstract = "Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship-circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deep-packet inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits. This paper introduces high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings. At a lower level, this paper introduces a new bijection between strings and about half of all curve points; this bijection is applicable to every odd-characteristic elliptic curve with a point of order 2, except for curves of $j$-invariant 1728. This paper also presents guidelines to construct, and two examples of, secure curves suitable for these encodings.",

author = "D.J. Bernstein and M. Hamburg and A. Krasnova and T. Lange",

year = "2013",

doi = "10.1145/2508859.2516734",

language = "English",

isbn = "978-1-4503-2477-9",

pages = "967--979",

editor = "A.-R. Sadeghi and V.D. Gligor and M. Yung",

booktitle = "2013 ACM SIGSAC Conference on Computer and Communications Security (CCS'13, Berlin, Germany, November 4-8, 2013)",

publisher = "Association for Computing Machinery, Inc",

address = "United States",

note = "conference; 20th ACM SIGSAC Conference on Computer and Communications Security; 2013-11-04; 2013-11-08 ; Conference date: 04-11-2013 Through 08-11-2013",

}

Bernstein, DJ, Hamburg, M, Krasnova, A & Lange, T 2013, Elligator : elliptic-curve points indistinguishable from uniform random strings. in A-R Sadeghi, VD Gligor & M Yung (eds), 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS'13, Berlin, Germany, November 4-8, 2013). Association for Computing Machinery, Inc, New York, pp. 967-979, conference; 20th ACM SIGSAC Conference on Computer and Communications Security; 2013-11-04; 2013-11-08, 4/11/13. https://doi.org/10.1145/2508859.2516734

Elligator : elliptic-curve points indistinguishable from uniform random strings. / Bernstein, D.J.; Hamburg, M.; Krasnova, A.; Lange, T.

2013 ACM SIGSAC Conference on Computer and Communications Security (CCS'13, Berlin, Germany, November 4-8, 2013). ed. / A.-R. Sadeghi; V.D. Gligor; M. Yung. New York : Association for Computing Machinery, Inc, 2013. p. 967-979.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Elligator : elliptic-curve points indistinguishable from uniform random strings

AU - Bernstein, D.J.

AU - Hamburg, M.

AU - Krasnova, A.

AU - Lange, T.

PY - 2013

Y1 - 2013

N2 - Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship-circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deep-packet inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits. This paper introduces high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings. At a lower level, this paper introduces a new bijection between strings and about half of all curve points; this bijection is applicable to every odd-characteristic elliptic curve with a point of order 2, except for curves of $j$-invariant 1728. This paper also presents guidelines to construct, and two examples of, secure curves suitable for these encodings.

AB - Censorship-circumvention tools are in an arms race against censors. The censors study all traffic passing into and out of their controlled sphere, and try to disable censorship-circumvention tools without completely shutting down the Internet. Tools aim to shape their traffic patterns to match unblocked programs, so that simple traffic profiling cannot identify the tools within a reasonable number of traces; the censors respond by deploying firewalls with increasingly sophisticated deep-packet inspection. Cryptography hides patterns in user data but does not evade censorship if the censor can recognize patterns in the cryptography itself. In particular, elliptic-curve cryptography often transmits points on known elliptic curves, and those points are easily distinguishable from uniform random strings of bits. This paper introduces high-security high-speed elliptic-curve systems in which elliptic-curve points are encoded so as to be indistinguishable from uniform random strings. At a lower level, this paper introduces a new bijection between strings and about half of all curve points; this bijection is applicable to every odd-characteristic elliptic curve with a point of order 2, except for curves of $j$-invariant 1728. This paper also presents guidelines to construct, and two examples of, secure curves suitable for these encodings.

U2 - 10.1145/2508859.2516734

DO - 10.1145/2508859.2516734

M3 - Conference contribution

SN - 978-1-4503-2477-9

SP - 967

EP - 979

BT - 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS'13, Berlin, Germany, November 4-8, 2013)

A2 - Sadeghi, A.-R.

A2 - Gligor, V.D.

A2 - Yung, M.

PB - Association for Computing Machinery, Inc

CY - New York

T2 - conference; 20th ACM SIGSAC Conference on Computer and Communications Security; 2013-11-04; 2013-11-08

Y2 - 4 November 2013 through 8 November 2013

ER -

Bernstein DJ, Hamburg M, Krasnova A, Lange T. Elligator : elliptic-curve points indistinguishable from uniform random strings. In Sadeghi A-R, Gligor VD, Yung M, editors, 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS'13, Berlin, Germany, November 4-8, 2013). New York: Association for Computing Machinery, Inc. 2013. p. 967-979 https://doi.org/10.1145/2508859.2516734