Elliptic Curve Cryptography

Jen-Chang Liu, 2004

Adapted from lecture slides by Lawrie BrownRef: RSA Security’s Official Guide to Cryptography

No Singhalese( 錫蘭人 ), whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman( 護身符 ) he would fear that some devil might take advantage of his weak state to slip into his body.

—The Golden Bough, Sir James George Frazer

Review: Requirement for public-key cryptography

Diffie and Hellman (1976) proposed the public-key cryptography requirement: It is computationally easy to generate a pair of keys It is computationally easy for a sender to encrypt It is computationally easy for a receiver to decrypt It is computationally infeasible for an opponent,

knowing the public key, to determine the private key

It is computationally infeasible for an opponent, knowing the public key and ciphtertext, to recover the plaintext

bX = DKR (Y)

Y = EKU (X)b

=> Trap-door one-way function

Review: one-way function 1968, R. M. Needham’s system

1974, G. Purdy published the first detail description of such a one-way function

One-way function

Computation in Zp ,

59264 p

A’s passwordOne-way cipher

Encrypted password list

…

…A’s encrypted password

542

33

232

1172 2424

)( axaxaxaxaxxf

Hard to invert!

Review: (trapdoor) one-way function

domain targetY=f(X): easy

X=f -1 (Y): infeasible ( > polynomial time)

X=fK-1 (Y): easy if trap-door K is known

( ~ polynomial time)

The notion of “computationally infeasible” plays an important role

A enciphering transformation that can safely be regarded as a (trapdoor) one-way function in 1994 might lose its one-way or trapdoor status in 2004 or 2994

Elliptic Curve Cryptography (ECC)

majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials

imposes a significant load in storing and processing keys and messages

an alternative is to use elliptic curves offers same security with smaller bit

sizes

Outline

Operations over abelian groups ( 可換群 )

Elliptic curves over the reals Elliptic curves over the finite fields Elliptic curve cryptography

Abelian group

Group with communicative property Group: {G, •}

G: a set of elements •: binary operation to each pair (a,b) in G

obeys: closure: a•b is also in G associative law: (a•b)•c = a•(b•c) has identity e: e•a = a•e = a has inverses a-1: a•a-1 = e

Public ciphers based on an abelian group

Exponentiation (repeated multiplication) in RSA and D-H algorithm

Idea: Find another abelian group! In elliptic curves, we define the addition

operation such that it forms an abelian group

qaaaqak mod )( mod k timeshard problem

aaaak k times

Classes of elliptic curves used by cryptographers

Outline

Operations over abelian groups ( 可換群 )

Elliptic curves over the reals Elliptic curves over the finite fields Elliptic curve cryptography

Real Elliptic Curves Elliptic curves are not ellipses an elliptic curve is defined by an

equation in two variables x & y, with coefficients

consider a cubic elliptic curve of form y2 = x3 + ax + b where x, y, a, b are all real numbers also define O (point at infinity)

Real Elliptic Curve Example#1

Given x, there will be two solutions for y

Multiple roots of

x3+x+1=0

Real Elliptic Curve Example#2

Roots ofx3-x=0

Real Elliptic Curve Example#2: F(x,y)

Real Elliptic Curve Example#2: F(x,y)3-d 圖俯視

Addition over elliptic curve

Definition: Let E be an elliptic curve over the real numbers. P and Q be two points on E. We define the negative of P and the sum P+Q as:

1. If P is the point at infinity O, then –P=O and P+Q = Q.

[i.e. O servers as the identity (zero)]2. P = (x,y), then –P=(x,-y) [-P must lie on elliptic curve]

Addition over elliptic curve (cont.)

3. If P and Q have different x-coordinate, then

P+Q = …R

Why not P+Q=R?

1. P+Q = R => R-Q = P

2. However, by definition R+Q = P

3. R-Q = R+Q ?

PQl

Addition over elliptic curve (cont.)

4. If Q=-P, then P+Q = O5. If P=Q, then P+Q = …

P

Q

P

2P

Closure of addition operation

Why there is exactly one point where the line intersects with elliptic curve?

(P+Q 一定有定義 ?)Case 1: P=Q

PQl

(x1, y1)=(x2, y2)=

Line function: (x, x

(x3, x3

Solve

baxxy

xy32

Closure of addition operation (cont.)

Solve

baxxy

xy32

=> 0)( 23 baxxx

三個根： (x1, y1), (x2, y2), (x3, y3)

0))()(( 321 xxxxxx=>

0...)( 2321

3 xxxxx=>

=> 2321 xxx

=> 212

3 xxx

=>

)( 3112

1213

21

2

12

123

xxxx

yyyy

xxxx

yyx

Closure of addition operation (cont.)

Case 2: P=Q Slope of the tangent line: Solution of P+Q:

1

21

2

3

y

ax

)(2

3

22

3

311

21

13

1

2

1

21

3

xxy

axyy

xy

axx

Outline

Operations over abelian groups ( 可換群 )

Elliptic curves over the reals Elliptic curves over the finite fields

Over Zp

Over GF(2m) Elliptic curve cryptography

Finite Elliptic Curves

Elliptic curve cryptography uses curves whose variables & coefficients are discrete and finite

have two families commonly used: prime curves Ep(a,b) defined over Zp

use integers modulo a prime best in software

binary curves E2m(a,b) defined over GF(2m) use polynomials with binary coefficients best in hardware

Example: discrete EC over Zp

pxx

py

mod )1(

mod 3

2

Ex. (9, 7) is on EC

23 mod )199(

23 mod 73

2

EC over Zp

1. P+O = P2. If P=(xp, yp), then P+ (xp, -yp) = O

3. If P=(xp, yp), Q=(xq, yq), R=P+Q=(xR, yR) is pxxx QPR mod )( 2

pyxxy PRPR mod ))((

where

QPpy

ax

QPpxx

yy

P

P

PQ

PQ

if mod 2

3

if mod

2

EC over Zp (cont.)

4. Scalar multiplication is defined as repeated addition.Ex. 4P = P+P+P+P

Q: How many points are defined on EC (given prime modulo p)?

ppNpp 2121

When p is large, it approximates the size of Zp

Outline

Operations over abelian groups ( 可換群 )

Elliptic curves over the reals Elliptic curves over the finite fields Elliptic curve cryptography

Elliptic Curve Cryptography

ECC addition is analog of modulo multiply in RSA

ECC repeated addition is analog of modulo exponentiation

need “hard” problem equiv. to discrete log Q=kP, where Q,P belong to a prime curve is “easy” to compute Q given k and P but “hard” to find k given Q,P known as the elliptic curve logarithm

problem

EC discrete log problem

Certicom example: E23(9,17) EC: P=(16,5), Q=(4,5), determine k s.t. Q=kP Brute force method:

23 mod )179(23 mod 32 xxy

P=(16,5); 2P=(20,20); 3P=(14,14); 4P=(19,20)

5P=(13,10); 6P=(7,3); 7P=(8,7); 8P=(12,17); 9P=(4,5)

ECC Diffie-Hellman

can do key exchange analogous to D-H users select a suitable curve Ep(a,b) select base point G=(x1,y1) with large

order n s.t. nG=O A & B select private keys nA<n, nB<n

compute public keys: PA=nA×G, PB=nB×G

compute shared key: K=nA×PB, K=nB×PA

same since K=nA×nB×G

Protocol of D-H key exchange

Public: Ep(a,b)G=(x1,y1)nA<n

PA=nA×G nB<nPB=nB×G

K=nA×PB

K=nB×PA

PA

PB

The same secret key:K=nA×nB×G

ECC Encryption/Decryption several alternatives, will consider simplest must first encode any message M as a point

on the elliptic curve Pm

Problem: not all discrete points are defined in EC select suitable curve & point G as in D-H each user chooses private key nA<n

and computes public key PA=nA×G

to encrypt Pm : Cm={kG, Pm+kPA}, k random decrypt Cm compute:

Pm+kPA–nA(kG) = Pm+k(nAG)–nA(kG) = Pm

Example: ECC encryption

EC curve on Zp : y2 = x3 -x + 188 G = (0, 376), p = 751 A’s public key PA = (201, 5) Plaintext Pm=(562, 201) B selects random k=386, then encryt

Pm asCm={kG, Pm+kPA}= {386(0,376), (562, 201)+386(201, 5)}= {(676, 558), (385, 328)}

ECC Security compared to factoring, can use much

smaller key sizes than with RSA etc for equivalent key lengths

computations are roughly equivalent