ELLIPTIC CURVE CRYPTOGRAPHY

PRESENTED BY :
MRS. S J PATEL
DEPARTMENT OF COMPUTER ENGINEERING,
NIT, SURAT
Elliptic Curve Cryptography: Motivation

 Public key cryptographic algorithms (asymmetric key algorithms) play an important role in providing
security services:
 Confidentiality
 Key management
 User authentication
 Signature
 Public key cryptography systems are constructed by relying on the hardness of mathematical problems
 RSA: based on the integer factorization problem
 DH: based on the discrete logarithm problem
 The main problem of conventional public key cryptography systems is that the key size has to be
sufficient large in order to meet the high-level security requirement.
 This results in lower speed and consumption of more bandwidth
 Solution: Elliptic Curve Cryptography system

MRS. S J PATEL – [email protected] I – NIT SURAT

Introduction to Elliptic Curves

 Lets start with a puzzle…

What is the number of balls that may be piled as a square pyramid

and also rearranged into a square array?

MRS. S J PATEL – [email protected] I – NIT SURAT

Introduction to Elliptic Curves

 Lets start with a puzzle…

What is the number of
balls that may be piled as a
square pyramid and also
rearranged into a square
array?

MRS. S J PATEL – [email protected] I – NIT SURAT

Introduction to Elliptic Curves

 What about the figure

shown?
 Does it fulfil our
requirements?

MRS. S J PATEL – [email protected] I – NIT SURAT

Introduction to Elliptic Curves

 What about the figure

shown?
 Does it fulfil our
requirements???
 Can you find solutions to
this problem???

MRS. S J PATEL – [email protected] I – NIT SURAT

Introduction to Elliptic Curves

 Let x be the height of the pyramid, then the number of balls in

pyramid is,
x( x  1)(2 x  1)
12  22  32  ...  x 2 
6
 We also want this to be a square. Hence,
x( x  1)(2 x  1)
y  2

MRS. S J PATEL – [email protected] I – NIT SURAT

Graphical Representation

Y axis

X axis

Curves of this nature

are called ELLIPTIC
CURVES

MRS. S J PATEL – [email protected] I – NIT SURAT

Method of Diophantus

 Uses a set of known points to produce new points

 (0,0) and (1,1) are two trivial solutions
 Equation of line through these points is y=x.
 Intersecting with the curve and rearranging terms:
3 2 1
x  x  x0 3

2 2
 What are the roots of this equation???

MRS. S J PATEL – [email protected] I – NIT SURAT

Method of Diophantus

 Uses a set of known points to produce new points

 (0,0) and (1,1) are two trivial solutions
 Equation of line through these points is y=x.
 Intersecting with the curve and rearranging terms:
3 2 1
x  x  x0 3

2 2
 What are the roots of this equation???
 Two trivial roots x=0 and x=1…… But what about third one????

MRS. S J PATEL – [email protected] I – NIT SURAT

Method of Diophantus

 We know that, for any numbers a,b,c, we have,

(x-a)(x-b)(x-c) = x3 – (a+b+c)x2 + (ab+bc+ac)x – abc
 Hence, for the equation
3 2 1
x  x  x0
3

2 2
 We have,
3 3 1
a+b+x = 2  0+1+x = 2  x= 2

 Hence, one more point (½ , ½) and because of the symmetry , another (½ , -½)

MRS. S J PATEL – [email protected] I – NIT SURAT

Method of Diophantus : Exercise

 Can you find out another point on curve using Diophantus’s method ???

Consider two points (½ , -½) and (1,1) and find out another point on the
curve …..

MRS. S J PATEL – [email protected] I – NIT SURAT

Method of Diophantus : Exercise solution

 Consider the line through (1/2,-1/2) and (1,1) => y=3x-2

 Intersecting with the curve we have:
51 2
x3  x  ...  0
2
 Thus ½ + 1 + x = 51/2 or x = 24 and y=70
 Thus if we have 4900 balls we may arrange them in either way

MRS. S J PATEL – [email protected] I – NIT SURAT

Weierstrass Equation

 For most situations, an elliptic curve E is the graph of an equation of the form:

y 2  x3  Ax  B
where A and B are constants. This refers to the Weierstrass Equation of Elliptic
Curve.
 Here, A, B, x and y all belong to a field of say rational numbers, complex numbers,
finite fields (Fp) or Galois Fields (GF(2n)).
 If K is the field where A,B  K, then we say that the Elliptic Curve E is defined over
K

MRS. S J PATEL – [email protected] I – NIT SURAT

Points on Elliptic Curve

 If we want to consider points with coordinates in some field L, we write E(L). By

definition, this set always contains the point ∞
E ( L)  {} {( x, y)  L  L y 2  x3  Ax  B}

What about the roots of these

curves ????

We must have the equation

4A3 + 27B2 ≠0 satisfied

A condition for an Elliptic curve to

be a group !!!!!
MRS. S J PATEL – [email protected] I – NIT SURAT
Points on Elliptic Curve

MRS. S J PATEL – [email protected] I – NIT SURAT

Points on Elliptic Curve

MRS. S J PATEL – [email protected] I – NIT SURAT

Adding points on Elliptic Curve

 Start with two points : P1(x1,y1) and

P2(x2,y2) on elliptic curve
 To get a new point P3 , y 2  x3  Ax  B
 Draw a line L through P1 and P2
 Get the intersection P3’
 Reflect across x-axis to get P3
 We define P1 + P2 = P3

MRS. S J PATEL – [email protected] I – NIT SURAT

Adding points on Elliptic Curve (cont.)

Slop e of the line L p assing through P1 and P2 is,

 Case 1: P1 ≠ P2 and neither ( y 2  y1 )
m
point is ∞ ( x2  x1 )
For x1  x2 , equation of line L is,
 For x1 ≠ x2
y  m( x  x1 )  y1
 For x1 = x2 ???? To find intersection with E, substitute to get,
 We get P1 + P2 = ∞ ( m( x  x1 )  y1) 2  x 3  Ax  B

 Case II : P1 = P2 =(x1,y1) Rearrange to form,

0  x 3  m 2 x 2  ...
Given two roots x1 and x2 , third root can be calculated ,
( a  b  c )  m 2  ( x1  x2  x )  m 2
 x  m 2  x1  x2
and y  m( x  x1 )  y1
refecting across the x - axis to obtain the p oint P3  ( x3 , y3 ) :
MRS. S J PATEL – [email protected] I – NIT SURAT x3  m 2  x1  x2 and y3  m( x1  x3 )  y1
Adding points on Elliptic Curve (cont.)

1  A
2
dy dy 3 x
 Case II : P1 = P2 =(x1,y1) 2 y  3x  A, so m  
2

 When two points on a curve dx dx 2 y1

are very close to each other, If y1  0, the equation of L is,
the line through them
approximates a tangent line. y  m( x  x1 )  y1
Therefore, when the two
points coincide, we take the We find the cubic equation,
line L through them to be the
0  x 3  m 2 x 2  ...
tangent line.
 Implicit differentiation allows This time we know only one root x1 , we obtain :
us to find the slope m of L
x3  m 2  2 x1 , y3  m( x1 - x3 ) - y1
MRS. S J PATEL – [email protected] I – NIT SURAT
Adding points on Elliptic Curve (cont.)

 Case II : P1 = P2 =(x1,y1)
 If y1 ≠ 0
 If y1 = 0
 We get P1 + P2 = ∞

 Case III: P2 = ∞
 What about P1 + P2 ????
 Do we get P1 + P2 = P1 ??
 In other words, P1 + ∞ = P1

MRS. S J PATEL – [email protected] I – NIT SURAT

Group Law

 The addition of points on an elliptic curve E satisfies the following properties:

 (Commutativity) : P1 + P2 = P2 + P1 for all P1, P2 on E
 (Existence of identity) : P + ∞ = P for all P on E
 (Existence of inverses) : Given P on E, there exists P’ on E with P + P’ = ∞. This point P’ will usually
be denoted as –P
 (Associatively) : (P1 + P2)+ P3 = P1 + (P2+ P3 ) for all P1, P2, P3 on E

The points on E form an additive abelian group with ∞ as the identity element.

MRS. S J PATEL – [email protected] I – NIT SURAT

Integer times a point

 Let k be a positive integer and let P be a point on an elliptic curve, then

 kP denotes P + P + · · · + P (with k summands)
 Efficient computation for large k
 Successive doubling method
 For example, to compute 19P, we compute
 2P, 4P = 2P+2P, 8P = 4P+4P, 16P = 8P+8P, 19P = 16P+2P+P.
 But, the only difficulty is....
 The size of the coordinates of the points increases very rapidly if we are working over the
rational numbers
 What about finite fields ????

MRS. S J PATEL – [email protected] I – NIT SURAT

 ELLIPTIC CURVES IN CRYPTOGRAPHY

MRS. S J PATEL – [email protected] I – NIT SURAT

Elliptic curves in Cryptography

 Elliptic Curve (EC) systems as applied to cryptography were first

proposed in 1985 independently by Neal Koblitz and Victor Miller.
 The discrete logarithm problem on elliptic curve groups is believed to be
more difficult than the corresponding problem in (the multiplicative
group of nonzero elements of) the underlying finite field.

MRS. S J PATEL – [email protected] I – NIT SURAT

Why finite field?

 Elliptic curves over real numbers

 Calculations prove to be slow
 Inaccurate due to rounding error
 Infinite field
 Cryptographic schemes need fast and accurate arithmetic
 In the cryptographic schemes, elliptic curves over two finite fields are mostly
used.
 Prime field Fp , where p is a prime.
 Binary field F2m, where m is a positive integer

MRS. S J PATEL – [email protected] I – NIT SURAT

DISCRETE LOGARITHMS IN FINITE FIELDS

F={1,2,3,…,p-1}
Pick secret, random
Pick secret, random Y from F
X from F
gx mod p
gy mod p
Alice Bob
Compute k=(gy)x=gxy mod p
Compute k=(gx)y=gxy mod p
Eve has to compute gxy from gx and gy without knowing x and y…
She faces the Discrete Logarithm Problem in finite fields
MRS. S J PATEL – [email protected] I – NIT SURAT
Elliptic curves over finite fields

x x3+x+1 y Points
 Let us do an exercise....
 Let E be the curve y2 = x3+x+1 over F5, 0 1 ±1 (0,1),(0,4)
find all the points on E 1 3 - -

2 1 ±1 (2,1),(2,4)
Therefore, E(F5) has order 9.
3 1 ±1 (3,1),(3,4)

Can you show that E(F5) is 4 4 ±2 (4,2),(4,3)

cyclic??? What is the ∞ ∞ ∞

generator??

MRS. S J PATEL – [email protected] I – NIT SURAT

Elliptic curves over finite fields : Exercise

x x3+2 y Points
 Let E be the curve = y2 x3+2 over F7,
find all the points on E

What is the order of E(F7) ?

Is E(F7) cyclic??? If yes, what

is the generator??

MRS. S J PATEL – [email protected] I – NIT SURAT

Elliptic curves over finite fields : Exercise

x x3-xy+1 y Points
 Let E be the curve +xy = y2 x3 +1 over
F2, find all the points on E

What is the order of E(F2) ?

Is E(F2) cyclic??? If yes, what

is the generator??

MRS. S J PATEL – [email protected] I – NIT SURAT

Elliptic curve discrete logarithm problem

If we are working over a large finite field and are given points P and kP, it
is computationally hard to determine the value of k.This is called the
discrete logarithm problem for elliptic curves (ECDLP) and is
the basis for the cryptographic applications.

MRS. S J PATEL – [email protected] I – NIT SURAT

What Is Elliptic Curve Cryptography (ECC)?

 Elliptic curve cryptography [ECC] is a public-key cryptosystem just like RSA,

El Gamal.
 Every user has a public and a private key.
 Public key is used for encryption/signature verification.
 Private key is used for decryption/signature generation.
 Elliptic curves are used as an extension to other current cryptosystems.
 Elliptic Curve El-Gamal Encryption
 Elliptic Curve Diffie-Hellman Key Exchange
 Elliptic Curve Digital Signature Algorithm

MRS. S J PATEL – [email protected] I – NIT SURAT

Using Elliptic Curves In Cryptography

 The central part of any cryptosystem involving elliptic curves is the

elliptic group.
 All public-key cryptosystems have some underlying mathematical
operation.
 RSA has exponentiation (raising the message or ciphertext to the public or
private values)
 ECC has point multiplication (repeated addition of two points).

MRS. S J PATEL – [email protected] I – NIT SURAT

Discrete Logarithm Key pair generation

 A key pair is associated with a set of public domain parameters (p,q, g). Here, p is a
prime, q is a prime divisor of p−1, and g ∈ [1, p−1] has order q

INPUT : DLdomain parameters (p,q, g).

OUTPUT: Public key y and private key x.
1. Select x R [1, q  1].
2.Compute y  g x mod p
3.Return (y,x ).

MRS. S J PATEL – [email protected] I – NIT SURAT

ECC Key pair generation

 Let E be an elliptic curve defined over a finite field Fp.

 Let P be a point in E(Fp), and suppose that P has prime order n. Then the cyclic subgroup of
E(Fp) generated by P is,
P = {∞, P, 2P, 3P, . . ., (n−1)P}.

The public domain parameters A private key is an integer d that

are : The prime p, the equation of is selected uniformly at random
the elliptic curve E, and the point P from the interval [1,n −1], and the
and its order n : (p,E,P,n) corresponding public key is Q = dP.

MRS. S J PATEL – [email protected] I – NIT SURAT

Basic Elgamal encryption scheme

INPUT : DLdomain parameters (p,q, g), public key y, plaintext m  [0, p  1].
OUTPUT: Ciphertext (c1 , c 2 ).
1. Select k R [1, q  1].
Basic ElGamal
2.Compute c1  g k mod p
Encryption 3. Compute c2  m  y k mod p
2.Return (c1 , c 2 ).

INPUT : DLdomain parameters (p,q, g), private key x, ciphertext (c1 , c2 ).

Basic ElGamal OUTPUT: Plaintext m.
x
1. Compute m  c2  c1 mod p.
Decryption
2.Return (m).

MRS. S J PATEL – [email protected] I – NIT SURAT

ECC Analog to El Gamal : ECEG
INPUT : Elliptic curve domain parameters (p, E, P, n), public key Q, plaintext m.
OUTPUT: Ciphertext (C1 , C 2 )
1. Represent the message m as a point M in E(Fp )
EC-ElGamal 2. Select k R [1, n  1].
Encryption 3.Compute C1  kP.
4. Compute C 2  M  kQ.
5. Return (C1 , C 2 ).

INPUT : Elliptic curve domain parameters (p, E, P, n), private key d, ciphertext (C1 , C 2 )
EC-ElGamal OUTPUT: Plaintext m.
Decryption 1. Compute M  C2  dC1 , and extract m from M
2. Return M.

MRS. S J PATEL – [email protected] I – NIT SURAT

 Diffie-Hellman (DH) Key Exchange

MRS. S J PATEL – [email protected] I – NIT SURAT

 Can you suggest ECC analog to this ?????

MRS. S J PATEL – [email protected] I – NIT SURAT

ECC Diffie-Hellman: ECDH

 Public: Elliptic curve and point B=(x,y) on curve

 Secret: Alice’s a and Bob’s b
a(x,y)
b(x,y)

Alice, A Bob, B

• Alice computes a(b(x,y))

• Bob computes b(a(x,y))
• These are the same since ab = ba
MRS. S J PATEL – [email protected] I – NIT SURAT
 Digital Signature Algorithm (DSA)
INPUT : DL domain parameters (p,q, g), private key x, message m.
OUTPUT: Signature (r, s).
1. Select k R [1, q  1].
Signature 2.ComputeT  g k mod p
3. Compute r  T mod q. If r  0 then go to step 1.
Generation 4. Compute h  H(m).
5. Compute s  k 1 (h  xr ) mod q. If s  0, then go to step 1.
6. Return (r, s).
INPUT : DL domain p arameters (p ,q, g), p ublic key y , message m, signature (r, s).
OUTPUT: Accep tance or Rejection of a signature.
1. Verify that r and s are integers in the interval [1, q - 1].
If any verification fails, then return(" Reject the signature" ).
2. Comp ute h  H ( m). Signature
3. Comp ute w  s 1 mod q.
4. Comp ute u1  hw mod q and u 2  rw mod q.
Verification
5. Comp uteT  g u1 y u 2 mod p
6. Comp ute r '  T mod q
7. If r  r' then return (" accep t signature" );
MRS. S return("
else J PATEL – [email protected] I – NIT SURAT).
reject signature"
ECC analogue to DSA : ECDSA
INPUT : Domain p arameters D, p rivate key d, message m
OUTPUT: Signature (r, s).
1. Select k R [1, n  1]
Signature 2. Comp ute kP  ( x1 , y1 ) and convert x1 to an integer x1
3. Comp ute r  x1 mod n. If r  0 then go to step 1.
Generation 4. Comp ute e  H ( m).
5. Comp ute s  k 1 (e  dr ) mod n. If s  0 then goto step 1.
6. Return (r, s).
INPUT : Domain p arameters D, p ublic key Q, message m and Signature (r, s).
OUTPUT: Accep tance or rejection of the signature
1. Verify that r and s are integers in the interval [1, n - 1].
If any verification fails then return (" Reject the signature" ).
2. Comp ute e  H(m). Signature
3. Comp ute w  s -1mod n Verification
4. Comp ute u1  ew mod n and u 2  rw mod n
5.Comp ute X  u1 P  u 2Q.
6. If X   then return(" reject signature" ).
7. Convert the x - coordinate x1 to an integer x1 ; comp ute v  x1 mod n.
MRS. S 8.
J PATEL  r then return("
If v– [email protected] Accep t
I – NIT SURAT thesignature" );
else return(" Reject the signature" );
Why use ECC?

 Criteria to be considered while selecting PKC for application

 Functionality: Does the public-key family provide the desired capabilities?
 Security: What assurances are available that the protocols are secure?
 Performance: For the desired level of security, do the protocols meet performance
objectives?
 Also some misc. factors such as existence of best-practice standards developed by
accredited standards organizations, the availability of commercial cryptographic
products, and patent coverage.

MRS. S J PATEL – [email protected] I – NIT SURAT

Why use ECC? (cont.)

 The RSA, DL and EC families all provide the basic functionality expected of public-key
cryptography
 But…… How do we analyze these Cryptosystems?
 How difficult is the underlying problem that it is based upon
 RSA – Integer Factorization
 DH – Discrete Logarithms
 ECC - Elliptic Curve Discrete Logarithm problem

MRS. S J PATEL – [email protected] I – NIT SURAT

Why use ECC? (cont.)

 How do we measure difficulty?

 We examine the algorithms used to solve these problems
 Integer factorization
 Number Field Sieve (NFS) : Sub exponential running time
 Discrete Logarithm
 Number Field Sieve (NFS) : Sub exponential running time
 Pollard’s rho algorithm
 Elliptic Curve Discrete Logarithm (ECDL)
 Pollard’s rho algorithm : Fully exponential running time

MRS. S J PATEL – [email protected] I – NIT SURAT

 Why use ECC? (cont.)

 To protect a 128 bit AES key it

would take a:
 RSA Key Size: 3072 bits
 ECC Key Size: 256 bits

 How do we strengthen RSA?

 Increase the key length

 Impractical?

MRS. S J PATEL – [email protected] I – NIT SURAT

Applications of ECC

 Many devices are small and have limited storage and computational
power
 Where can we apply ECC?
 Wireless communication devices
 Smart cards
 Web servers that need to handle many encryption sessions
 Any application where security is needed but lacks the power, storage
and computational power that is necessary for our current
cryptosystems

MRS. S J PATEL – [email protected] I – NIT SURAT

 TUTORIAL QUESTIONS

MRS. S J PATEL – [email protected] I – NIT SURAT

Elliptic curve over real numbers

1. Does the elliptic curve equation y2 = x3 - 7x - 6 over real numbers define a group?
2. What is the additive identity of regular integers?
3. Is (4,7) a point on the elliptic curve y2 = x3 - 5x + 5 over real numbers?
4. What are the negatives of the following elliptic curve points over real numbers?
P(-4,-6), Q(17,0), R(3,9), S(0,-4)
5. In the elliptic curve group defined by y2 = x3 - 17x + 16 over real numbers, what is P
+ Q if P = (0,-4) and Q = (1,0)?
6. In the elliptic curve group defined by y2 = x3 - 17x + 16 over real numbers, what is
2P if P = (4, 3.464)?

MRS. S J PATEL – [email protected] I – NIT SURAT

Elliptic curve over real numbers

1. Does the elliptic curve equation y2 = x3 - 7x - 6 over real numbers define a group?
Ans: Yes
2. What is the additive identity of regular integers? Ans: 0
3. Is (4,7) a point on the elliptic curve y2 = x3 - 5x + 5 over real numbers? Ans: Yes
4. What are the negatives of the following elliptic curve points over real numbers?
P(-4,-6), Q(17,0), R(3,9), S(0,-4) Ans: -P(-4,6), -Q(17,0), -R(3,-9), -S(0,4)
5. In the elliptic curve group defined by y2 = x3 - 17x + 16 over real numbers, what is P
+ Q if P = (0,-4) and Q = (1,0)? Ans: P + Q = (15, -56)
6. In the elliptic curve group defined by y2 = x3 - 17x + 16 over real numbers, what is
2P if P = (4, 3.464)? Ans: 2P = (12.022, -39.362)

MRS. S J PATEL – [email protected] I – NIT SURAT

Elliptic curve over real numbers

Consider the curve y2 = x3 + 5x -7

Answer the following for the above curve :

1. Does the curve form group ?
2. Consider the point P(1.1, 0) on curve. Find the points 2P, 3P, 4P, 5P, 6P and 7P on
curve.

MRS. S J PATEL – [email protected] I – NIT SURAT

Elliptic curve over real numbers

Consider the curve y2 = x3 + 3x +5

Consider the point P(2, 2.65) on curve. Find the point 2P.

MRS. S J PATEL – [email protected] I – NIT SURAT

key references

 Elliptic Curves: Number Theory and Cryptography, by Lawrence C. Washington

 Guide to Elliptic Curve Cryptography, Alfred J. Menezes
 Guide to Elliptic Curve Cryptography, Darrel R. Hankerson, A. Menezes and A.
Vanstone
 www.certicom.com

MRS. S J PATEL – [email protected] I – NIT SURAT