Elliptic Curve Cryptography

Elliptic Curve Cryptography
Kelly Bresnahan
March 24, 2016

Table Of Contents
1 Elliptic Curve Cryptography (ECC)
Introduction
Pros and Cons of Elliptic Curves
Deﬁnition of an Elliptic Curve
Operations on Elliptic Curves
Hasse’s Bound
Representing Plaintext
Elliptic Curve Diﬃe-Hellman Key Exchange
ElGamal Digital Signatures using Elliptic Curves
Identity-Base Encryption Using ECC

Introduction
Miller and Koblitz (independently) introduced elliptic
curves into cryptography in the mid-1980s
Elliptic Curve Cryptography algorithms entered wide use
between 2004 and 2005
Based on the discrete logarithm problem, i.e.
determining an integer 1 ≤ k ≤ p − 1 such that
gk
= b (mod p)

Why use ECC?
Pros
Smaller keys can be used to achieve the same security as
an RSA or discrete logarithm system

Why use ECC?
Pros
160-256 bit vs 1024-3072 bit

Why use ECC?
Pros
160-256 bit vs 1024-3072 bit
Only generic attacks are known against ECC in comparison
to other systems such as RSA and discrete logarithm (DL)
schemes

Why use ECC?
Pros
160-256 bit vs 1024-3072 bit
schemes
ECDSA signature with a 256-bit key is over 20 times faster
than an RSA signature with a 2,048-bit key

Why use ECC?
Pros
160-256 bit vs 1024-3072 bit
schemes
The energy needed to break an RSA key is much smaller
than an ECC key

Why use ECC?
Pros
160-256 bit vs 1024-3072 bit
schemes
than an ECC key
Cons

Why use ECC?
Pros
160-256 bit vs 1024-3072 bit
schemes
than an ECC key
Cons
Security is achieved only if cryptographically strong elliptic
curves are used

Definition of Elliptic Curves
Definition: An elliptic curve is the graph of the equation
E : y2
= x3
+ ax2
+ bx + c
where a, b, and c are elements from the base field K of
characteristic not equal to 2.
Note: We’ll also include the point (∞, ∞), denoted ∞

Examples of Elliptic Curves over R
Figure: y2
= x3
+ x Figure: y2
= x3
+ 73

Operations on Elliptic Curves
Point Addition

Operations on Elliptic Curves (cont)
Point Doubling

How do we add a point P with ∞?

Therefore, the points on E form an abelian group under
addition where
1 ∞ is the additive identity
2 The inverse of the point P = (x, y) is −P = (x, −y)
3 P − Q = P + (−Q)

Adding Points on E
Suppose E is deﬁned as y2 ≡ x3 + 4x + 4 (mod 5).
Let P1 = (1, 2) and P2 = (4, 3). Then
(1, 2) + (4, 3) = (4, 2)

Doubling Points on P
Suppose E is deﬁned as y2 ≡ x3 + 2x + 2 (mod 17).
Let P = (5, 1). Then
2P = (6, 3)

Addition Law
If E is given by E : y2 = x3 + bx + c (mod p) we deﬁne
(x3, y3) = (x1, y1) + (x2, y2)
as
x3 = s2
− x1 − x2 (mod p) and
y3 = s(x1 − x3) − y1 (mod p)
where
s =



y2−y1
x2−x1
(mod p), if P = Q
3x1+b
2y1
(mod p), if P = Q

Cardinality
Question: What is the order of the group (E, +) (mod p), i.e.
how many point are on E?

Cardinality
Question: What is the order of the group (E, +) (mod p), i.e.
how many point are on E?
Hasse’s Bound: Given an elliptic curve E modulo p, the
number of points on E, denoted #E, is bounded by
p + 1 − 2
√
p ≤ #E ≤ p + 1 + 2
√
p

Elliptic Curves (mod p)
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curve E and two points A and B on E, the
discrete log problem for elliptic curves is ﬁnding an integer
1 ≤ d ≤ #E such that
P + P + · · · + P
d times
= dP = T

Elliptic Curves (mod p)
The Discrete Logarithm Problem for Elliptic Curves:
Given an elliptic curve E and two points A and B on E, the
discrete log problem for elliptic curves is ﬁnding an integer
1 ≤ d ≤ #E such that
P + P + · · · + P
d times
= dP = T
In cryptosystems d is the private key and T is the public key

We need a method for encoding a message as point on an
elliptic curve.

elliptic curve.
The Bad News: Currently there is no known polynomial time,
deterministic algorithm for writing points on an arbitrary
elliptic curve.

elliptic curve.
elliptic curve.
The Good News: There are fast probabilistic methods for
ﬁnding points

elliptic curve.
elliptic curve.
The Good News: There are fast probabilistic methods for
ﬁnding points
With appropriately chosen parameters, the probability of
failure can be made arbitrarily small.

Let E : y2 ≡ x3 + bx + c (mod p) be the elliptic curve and let
m be the message represented as a number.

Idea: Embed m as the x-coordinate of a point on E

The Bad News: There is only a 50% chance that
m3 + bm + c is a square modulo p

Question: How can we guarantee a higher success rate?

Question: How can we guarantee a higher success rate?
Answer: We’ll adjoin a few bits at the end of m and adjust
them until we get a number x such that x3 + bx + c is a square
(mod p)

Koblitz’s Method

Koblitz’s Method
Let K ∈ Z be large enough such that a failure rate of
1/2K is acceptable

Koblitz’s Method
1/2K is acceptable
Assume that (m + 1)K < p and let x = mK + j

Koblitz’s Method
1/2K is acceptable
For j = 0, 1, 2, . . . , K − 1,

Koblitz’s Method
1/2K is acceptable
For j = 0, 1, 2, . . . , K − 1,
- Compute x3
+ bx + c and try to calculate the square root
(mod p)

Koblitz’s Method
1/2K is acceptable
For j = 0, 1, 2, . . . , K − 1,
- Compute x3
(mod p)
- If x3
+ bx + c is a square, then we send m to Pm = (x, y),
otherwise increment j by 1

Koblitz’s Method
1/2K is acceptable
For j = 0, 1, 2, . . . , K − 1,
- Compute x3
(mod p)
- If x3
+ bx + c is a square, then we send m to Pm = (x, y),
otherwise increment j by 1
- If we reach j = K, then we have failed to map a message
to a point on E

Decoding
Note: Because x3 + bx + c is a square approximately half of
the time and we try x = mK + j at most K times, we have
about 1/2K chance of failure.

Decoding
Note: Because x3 + bx + c is a square approximately half of
the time and we try x = mK + j at most K times, we have
about 1/2K chance of failure.
To recover the original message from Pm = (x, y), we calculate
m =
x
K
Second Note: Decoding requires that (m + 1)K < p

(ECDH)
Suppose that Alice and Bob want to exchange a key

(ECDH)
1 They agree on a prime p, the elliptic curve
E : y2 ≡ x3 + ax + b (mod p), and a base point P on E.

(ECDH)
2 Alice randomly chooses an integer ka and Bob randomly
chooses an integer kb, which they keep secret

(ECDH)
3 Alice publishes the point A = kaP and sends it to Bob

(ECDH)
4 Bob publishes the point B = kbP and sends it to Alice

(ECDH)
5 Alice takes Bob’s point B and computes ka(B)

(ECDH)
6 Similarly, Bob computes kb(A)

(ECDH)
6 Similarly, Bob computes kb(A)
7 Because the group (E, +) is abelian,
ka(B) = ka(kbP) = kb(kaP) = kb(A),
so Alice and Bob have the same key

ElGamal Elliptic Curve Digital Signature Algorithm
(ECDSA)
Suppose that Alice wants to sign a message, m, for Bob to
verify.

(ECDSA)
verify.
To set up the system, we
1 Fix an Elliptic Curve E (mod p) where p is large prime

(ECDSA)
verify.
2 Fix a base point A on E

(ECDSA)
verify.
3 Assume that the message represented as a number m
satisﬁes
0 ≤ m ≤ #E

(ECDSA)
verify.
satisﬁes
0 ≤ m ≤ #E
4 Alice chooses a private integer a and computes B = aA

(ECDSA)
verify.
satisﬁes
0 ≤ m ≤ #E
4 Alice chooses a private integer a and computes B = aA
Now (p, E, #E, A, B) are made public while a is private.

El Gamal ECDSA: Signing a Message
Now Alice wants to sign the message, so she

1 chooses a random 1 ≤ k ≤ #E with gcd(k, #E) = 1,

2 computes kA ≡ R = (x, y),

3 computes s ≡ k−1(m − ax) mod #E,

3 computes s ≡ k−1(m − ax) mod #E,
4 sends the signed message (m, R, s) to Bob for veriﬁcation,

El Gamal ECDSA: Verifying a Message
To verify Alice’s message, Bob

1 downloads Alice’s public info and (p, E, #E, A, B),

1 downloads Alice’s public info and (p, E, #E, A, B),
2 computes v1 ≡ xB + sR and v2 ≡ mA
The signature is valid only if v1 = v2

Why does this work?
We know that
v1 = xB + sR

Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1
(m − ax))(kA)

Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1
(m − ax))(kA)
= xaA + (m − ax)A

Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1
(m − ax))(kA)
= xaA + (m − ax)A
= mA

Why does this work?
We know that
v1 = xB + sR
= xaA + (k−1
(m − ax))(kA)
= xaA + (m − ax)A
= mA
≡ v2

Identity-Based Encryption
In most public key systems, when Alice wants to send a
message to Bob, she looks up his public key in a directory and
then encrypts her message. However, how does she know that
the information has not been modiﬁed by Eve and the public
key listed for Bob is Eve’s key?!

Identity-Based Encryption
In most public key systems, when Alice wants to send a
message to Bob, she looks up his public key in a directory and
then encrypts her message. However, how does she know that
the information has not been modiﬁed by Eve and the public
key listed for Bob is Eve’s key?!
Wouldn’t it be nice to have a system where Bob’s public
identiﬁcation information (like his email address) serves as the
public key?

Setting up the Cryptosystem
First, let p be a prime of the form 6q − 1 where q is also prime.
Then for the elliptic curve E : y2 = x3 + 1 (mod p), we know
that

that
There is a point P0 = ∞ such that qP0 = ∞.

that
There is a function ˜e such that
- ˜e maps pairs of points (aP0, bP0) to qth roots of unity

that
- ˜e satisﬁes the bilinearity property
˜e(aP0, bP0) = ˜e(P0, P0)ab
for all a and b

that
˜e(aP0, bP0) = ˜e(P0, P0)ab
for all a and b
- Given P = kP0 and Q = mP0, ˜e(P, Q) can be computed
quickly from the coordinates P and Q

that
˜e(aP0, bP0) = ˜e(P0, P0)ab
for all a and b
- Given P = kP0 and Q = mP0, ˜e(P, Q) can be computed
quickly from the coordinates P and Q
- ˜e(P0, P0) = 1, so it is a nontrivial root of unity

Setting up the Cryptosystem (cont)
We need two public hash functions:

Setting up the Cryptosystem (cont)
We need two public hash functions:
H1 : {arb. length binary string} −→ kP0
for k ∈ Z
H2 : {qth root of unity} −→ {binary strings of length n}
where n is the length of the message to be sent

Setting up the System
To set up the system, we need a Trusted Authority, Arthur.
Arthur does the following:

He chooses a secret integer s

He computes P1 = sP0, which is made public

For each User, Arthur ﬁnds the user’s ID (written as a
binary string) and computes
DUser = sH1(ID),
which is a point on E

For each User, Arthur ﬁnds the user’s ID (written as a
binary string) and computes
DUser = sH1(ID),
which is a point on E
Arthur sends DUser to each user, who keeps it secret. He
then discards DUser

Sending a Message
Suppose Alice wants to send a message m to Bob and suppose
that m is of binary length n.
Bob’s ID is bob@computer.com, so Alice does the following:

Sending a Message
1 She computes g ≡ ˜e(H1(bob@computer.com), P1), a qth
root of unity

Sending a Message
root of unity
2 She chooses a random integer r = 0 (mod q) and
computes
t ≡ m ⊕ H2(gr
)
where ⊕ is the XOR cipher.

Sending a Message
root of unity
2 She chooses a random integer r = 0 (mod q) and
computes
t ≡ m ⊕ H2(gr
)
where ⊕ is the XOR cipher.
3 She sends Bob the ciphertext
c ≡ (rP0, t),
where rP0 on E and t is a binary string of length n

Recovering the Message
Bob receives the pair (U, v) where U is a point on E and v is a
binary string of length n. Then he does the following:

1 He computes h ≡ ˜e(DBob, U), which is a qth root of unity

1 He computes h ≡ ˜e(DBob, U), which is a qth root of unity
2 He recovers the message by
m = v ⊕ H2(h)

Why does this work?
If encryption is performed correction, U = rP0 and
v = t = m ⊕ H2(g).

Why does this work?
v = t = m ⊕ H2(g).
Since DBob = sH1(bob@computer.com),
h ≡ ˜e(DBob, rP0) = ˜e(sH1(bob@computer.com), rP0)
= ˜e(H1(bob@computer.com), P0)rs

Why does this work?
v = t = m ⊕ H2(g).
= ˜e(H1(bob@computer.com), sP0)r

Why does this work?
v = t = m ⊕ H2(g).
= ˜e(H1(bob@computer.com), P1)r

Why does this work?
v = t = m ⊕ H2(g).
≡ gr

Why does this work?
v = t = m ⊕ H2(g).
≡ gr
Therefore,

Why does this work?
v = t = m ⊕ H2(g).
≡ gr
Therefore,
t ⊕ H2(h) = t ⊕ H2(gr
) = (m ⊕ H2(gr
)) ⊕ H2(gr
) = m

Elliptic Curve Cryptography

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Elliptic Curve Cryptography

Similar to Elliptic Curve Cryptography (20)

Elliptic Curve Cryptography