7/31/2019 Elliptic Curve Lrp
1/50
ELLIPTIC CURVECRYPTOSYSTEM
GUIDE
MAJ TS BAINS
7/31/2019 Elliptic Curve Lrp
2/50
BIBOLOGRAPHY
A.J. Menezes, P.C. van Oorschot, and S.A.
Vanstone, "Handbook of Applied Cryptography", D.R. Stinson, "Cryptography: Theory and
Practice",
D. Johnson and A.J. Menezes, "Elliptic Curve
DSA (ECDSA): An Enhanced DSA", Certicomwhitepaper, March 1997.
Certicom Corp., "An Introduction to InformationSecurity", Certicom whitepaper, number 1, March
1997. N. Koblitz, "Elliptic curve cryptosystems",
Mathematics of Computation, number 48, pages203-209, 1987.
7/31/2019 Elliptic Curve Lrp
3/50
CRYPTOSYSTEM CONFIDENTIALITY - CONCEALMENT OF DATA
FROM ALL BUT AUTHORIZED PARTIES. USER AUTHENTICATION - ASSURANCE THAT THE
PARTIES INVOLVED IN A REAL-TIMETRANSACTION ARE WHO THEY SAY THEY ARE.
DATA ORIGIN AUTHENTICATION - ASSURANCE OF
THE SOURCE OF A MESSAGE. DATA INTEGRITY - ASSURANCE THE DATA HAS
NOT BEEN MODIFIED BY UNAUTHORIZEDPARTIES.
NON-REPUDIATION - THE BINDING OF AN ENTITY
TO A TRANSACTION IN WHICH IT PARTICIPATES,SO THAT THE TRANSACTION CANNOT LATER BEREPUDIATED. THAT IS, THE RECEIVER OF ATRANSACTION IS ABLE TO DEMONSTRATE TO ANEUTRAL THIRD PARTY THAT THE CLAIMEDSENDER DID INDEED SEND THE TRANSACTION.
7/31/2019 Elliptic Curve Lrp
4/50
ELLIPTIC CURVE
IN 1985, NEIL KOBLITZ AND VICTOR MILLERINDEPENDENTLY PROPOSED THE ELLIPTIC CURVECRYPTOSYSTEM (ECC),
1997 ACCEPTED.
SECURITY RESTS ON THE DISCRETE LOGARITHMPROBLEM OVER THE POINTS ON AN ELLIPTIC CURVE.
ECC CAN BE USED TO PROVIDE BOTH A DIGITALSIGNATURE SCHEME AND AN ENCRYPTION SCHEME.
AN ELLIPTIC CURVE OVER REAL NUMBERS MAY BEDEFINED AS THE SET OF POINTS (X ,Y) WHICH SATISFYAN ELLIPTIC CURVE EQUATION
7/31/2019 Elliptic Curve Lrp
5/50
ELLIPTIC CURVE
AN ELLIPTIC CURVE, DEFINED OVER MODULOPRIME P, IS THE SET OF SOLUTIONS (X,Y) TOAN EQUATION OF THE FORM OF A FINITE FD ZP
y2= x3+ ax+ b (mod p)
FOR TWO NUMBERS a AND b. a,b Z
(a,b) SHOULD SATISFY 4a3 +27b2 =0 (mod p)
7/31/2019 Elliptic Curve Lrp
6/50
Let p= 23
elliptic curveE: y2
= x3
+ x +1definedover Z23.
a= 1 and b =1 4a3+27b2 =4 +4 = 8 , so
Eisindeed an elliptic curve. QR{ 1, 2 ,3 ,4, 6, 8 ,9 ,12,13,16,18}
An Example
7/31/2019 Elliptic Curve Lrp
7/50
7/31/2019 Elliptic Curve Lrp
8/50
7/31/2019 Elliptic Curve Lrp
9/50
The points in E(Z23) are and the following:
(0,1) (0, 22) (1, 7) (1, 16)
(3, 10) (3, 13) (4, 0)
(5, 19) (5, 4) (6, 4) (6, 19)
(7, 11) (7, 12) (9, 7) (9, 16)
(11, 3) (11, 20) (12, 19) (12, 4)
(13, 16) (13, 7) (17, 3) (17, 20)
(18, 3) (18, 20) (19, 5) (19, 18)
7/31/2019 Elliptic Curve Lrp
10/50
SUGGESTED SCOPE
ELLIPTIC CURVE FINITE FD F(P) WHERE P IS PRIME NO
7/31/2019 Elliptic Curve Lrp
11/50
PROBLEM AREAS
RESIDUAL OF POLYNOMIAL
QUADRATIC RATIO OF POLYNOMIAL. KNOWLEDGE OF C++
7/31/2019 Elliptic Curve Lrp
12/50
TIME SCHEDULE
7/31/2019 Elliptic Curve Lrp
13/50
SCOPE
CHOOSE A ELLIPTIC CURVE OVER
A GALIOS FIELD OF HIGHER ORDER F(2p150)
DEVP OF SW FOR ADDITION TWO PTSOVER
EC OF GIVEN MODULO.
DEVP OF SW FOR ENCRYPT & DECRYPT
USING ECC. GENRATE A PAIR OF PUB & PVT KEY
ENCRYPT A MSG
ECC FOR AUTHENTICATION
7/31/2019 Elliptic Curve Lrp
14/50
ECC TOPICS TO BE UNDERSTOOD
ELLIPTIC CURVE
DLP
FINITE FD GALIEOS FIELD
QUDRATIC RATIO
RESIDUAL OF A POLYNOMIAL DISCREATE ALOG FACTORISATION
ELIPTIC CURVE CRYPTOSYSTEM
C++
7/31/2019 Elliptic Curve Lrp
15/50
ELLIPTIC CURVES:-
An Elliptic curve over a field Zp is the set of points
(x,y) with x,y Zp which satisfy the equationY2 = x3 + ax +b
Together with a single element denoted by 0 and
called the point at infinity.
R
-R = (P + Q)
PQ
Assumption :-1. If P is a point at infinity 0,
thenP to be 0 and P+Q = Q,
ie 0 is additive identity (zeroelement)
2. If P = (x,y), thenp = (x-y)
ie.(x, y) = (x, -y)
x same - .
7/31/2019 Elliptic Curve Lrp
16/50
3. If P and Q have different x-coordinates, then
the line PQ intersects the curve exactly at onemore point R, and
P + Q = -R (mirror image = -R)
4. If Q = -P, P +Q =0
(ie. Q has same x buty)
5.
If P=Q, then let l be tangent line to the curve at P
7/31/2019 Elliptic Curve Lrp
17/50
ELLIPTIC CURVES CRYPTOSYSTEM (ECC) :-
Let p > 3 be prime. The elliptic curve y2 = x3 +ax +b
Over Zp is the set of solutions (x,y) Zp x Zp to thecongruence
y2 x3 +ax +b (mod p)Where a, b Zp are constants such that4a3 + 27b3 0 (mod p),Together with a special point 0 called point at infinity
Let P = (x1 y1), Q = (x2 y2)
P + Q = R = (x3, y3)X3 = 2 - x1x2Y3 = (x1- x3)y1
7/31/2019 Elliptic Curve Lrp
18/50
= y2y1x2x1
, if P Q
3x12 + a
2y1, if P = Q
7/31/2019 Elliptic Curve Lrp
19/50
Ex :- Let EC be y2 = x3 +x + 6 over Z111. Determine thepoints on E, for this by looking
at each possible x Z11
computing x3 +x + 6
mod 11 is a quadratic residue by applying rulers
criterion.
quadratic residue y2 a mod 11x = 0, y2 = 6x = 1 y2 = 8
x = 2 y2 = 5
x = 3 y2 = 3
x = 4 y2 = 8
x = 5 y2 = 4 QR11x = 6 y2 = 8
x = 7 y2 = 4
x = 8 2 = 9
(= 23 + 2 +6 mod 11
= 8+8 mod 11=5)( = 32 + 3 + 6
= 27 +3 +6 =36)
QR11
7/31/2019 Elliptic Curve Lrp
20/50
x = 9 y2 = 7
x = 10 y2 = 4 QR11
QR (11) = {1, 3, 4, 5, 9}
12 = 1 mod 11
22 = 4 mod 11
32
= 9 mod 1142 = 16 mod 11= 5
52 = 25 mod 11= 3
62 = 36 mod 11= 3
72 = 49 mod 11= 5
82 = 64 mod 11= 9
92 = 81 mod 11= 4
102
= 100 mod 11= 1
QR (11) = { 2, 6 ,7, 8, 10 }
7/31/2019 Elliptic Curve Lrp
21/50
* Explicit formula to compute square roots of
quadratic residue mod p for primes p 3 (mod 4)
* By this formula,We have square roots of a quadratic residue Z are
= z (11+1)/4 mod11 = z 1 2/4 mod 11
= z 3 mod 11
* Let x =2, y2 = 5 mod 11
y = 53 mod 11= 125 mod 111
= 4 mod 11+ve = 4
-ve = -4 mod 11 = 7
* Points (x, y) (2,4)(2,7)
z (p+1)/4 mod p
7/31/2019 Elliptic Curve Lrp
22/50
x = 3, y2 = 3 mod 11
y = 33 mod 11= 27 mod 11= 5
+ve = 5-ve = -5 mod 11 = 6
Points (x, y) (3, 5), (3, 6)
* P i h lli i 2 3 6
7/31/2019 Elliptic Curve Lrp
23/50
* Points on the elliptic curve y2 = x3 +x + 6
over mod 11. Ie over Z11* Remember 4a3 + 27b3 0 mod 11
Here a = 1, b = 6
4.13 + 27.63 0 mod 114 + 5.3 0 mod 11
* P +12 p # E p +1 + 2 p# No. of point on EC.
* Any point other than point at infinity is a generator
of E, if it has prime no. of points.Let = (2, 7)Is this a generators
Ie. 2, 3, 4-------------- must be points on EC
7/31/2019 Elliptic Curve Lrp
24/50
* 2 = (2, 7) + (2, 7)= 3x12 + a if P = Q
2y1
(3.22 +1) (12 +1) 2
2.7 14 3
=2 x 4 = 8 (mod11)
2p = p + p
= = = 2 x 3-1
22 = (5,2)
X3 = 2x1- x2 8222 = 5
Y3 = (x1x2)y1 8 (2-5)-7 =2
7/31/2019 Elliptic Curve Lrp
25/50
* Similarly 3 = 2 + =(5,2) + (2,7)
P + Q = y2y1 if P Qx2x1
X3 = 2x1x2Y3 = (x1- x3)y1X3 = 2252 mod 11
= 8
Y3 = 2(5-8)-2 mod 11= 3
3 = 81 3
=7-2
2-5
= 5-3
= 5 x 8-1
=5 x 7=2
7/31/2019 Elliptic Curve Lrp
26/50
x X2+x+6mod11
In QR(11)? Y Points onEC
0 6 no
1 8 no
2 5 yes 4, 7 (2, 4)(2,7)
3 3 yes 5, 6 (3, 5) (3,6)
4 8 no
5 4 yes 2, 9 (5, 2) (5,9)
6 8 no
7 4 yes 2, 9 (7, 2) (7,
7/31/2019 Elliptic Curve Lrp
27/50
MenezesVastone ECC(1993):-
* Journal of Cryptology, 6 (1993) pp 209-214
* IEEE Trans. on IT, 39,(1993) pp 1639 - 1646(1) Let E be an elliptic curve over Zp, P>3 and
prime such that E contains a cyclic subgroup H
in which in which discrete log prob.isintractible.
(2) Let P = Zp* x Zp
*
C = E x Zp*
x Zp*
andK = {(E, , a : = a )}where E.
(3) and are publicand a is secret
7/31/2019 Elliptic Curve Lrp
28/50
(4) For K = ( E, , a, ), for a secret randomNumber k Z|H| and for x = (x1, x2) Zp*x Zp*
(5) Define ek (x1 k) = (y0 y1 y2)pt.
(6) For a cipher text y
y = (y0, y1,y2)Define
dk(y) = (y1 c1-1 mod p, y2 c2
-1 mod p)
Where ay0 =(C1, C2)
Note :- (i) x = (x1, x2) Zp*x Zp*
is not a point on E.
(ii) k a secret random number
Z|H|
y0 =k(c1, c2) =k[=ax]y1 =c1x1 mod p
y2 =c2x2 mod p
7/31/2019 Elliptic Curve Lrp
29/50
MenezesVanstone ECC basd on E1 Gamal
Encryption Scheme
Plaintextx(9,1)
chooses
random(k)= 6
Cipher textya secret key(a)
=7
y0 = (7, 9)
y1 = 6
y2 = 3
Y =(y0, y1,y2)
(E, , )
= a
Bs public key
A B
SENDERRECEIVER
7/31/2019 Elliptic Curve Lrp
30/50
X EC
X = (x1, x2) point
X Zp*x Zp*
Zp* - field
Prime, p > 3
= (2, 7)generator of EC or
Primitive elements of
Computes (y0 y1 y2)y0 = k.y1 = c1x1 mod p
y2
= c2x
2mod p
Kobnitz (1987)
Miller (1986)
Menzes (1993)
Menzes- vaustone
1993MOV (1994)
B computes
(c1, c2) = a y0
Secret of B
(c1,c2) = a.y0 (7.9)
y0
EC(--,--)
(8, 3)
c1 = 8, c2 = 3
X = (y1c1
-1 mod p,
y2c2-1 mod p)
= (9,1)
(9, 1)
7/31/2019 Elliptic Curve Lrp
31/50
E1 Gamel Encryption using EC:-
Let = (2, 7) and Bs Secret (key) exponent is
, so = 7. = (7, 2)a = 7 By ECC7p = kp Point onEC
Sender Ax1k Receiver B a1y
Now A wants to encrypt the plaintext x = (x1,x2)
= (9,1), where x is not a point on E and chooses the
random value k = 6.
A computes y0 = k = 6 (2,7) = (7,9)and k= 6 (7,2) = (8,3)
= (c1 c2)
so c1 = 8 and c2 = 3
Ne t A calc lates ( ) c mod p 8 9 mod11
7/31/2019 Elliptic Curve Lrp
32/50
Next A calculates (y1) = c1x1 mod p = 8 x 9 mod11
= 6
and (y2) = c2x2 mod p = 3 x 1 mod 11
= 3Thus cipher-text A sends is
y = (y0, y1, y2) = [(7, 9), 6, 3 ]
When B receives the ciphertext y,B computes (c1, c2) = a y0 = 7 (7, 9) = (8, 3)
And then x = (y1 c1-1 mod p, y2 c2
-1 mod p)
= (6 x 8-1
mod 11, 3 x 3-1
mod 11)= (6 x 7 mod 11, 3 x 4 mod 11)
= (9, 1)
Hence the decryption yields the correct plaintext.
ELLIPTIC CURVES:
7/31/2019 Elliptic Curve Lrp
33/50
ELLIPTIC CURVES:-
An Elliptic curve over a field Zp is the set of points
(x,y) with x,y Zp which satisfy the equationY2 = x3 + ax +bTogether with a single element denoted by 0 and
called the point at infinity.
R
-R = (P + Q)
PQ
Assumption :-1. If P is a point at infinity 0,
thenP to be 0 and P+Q = Q,
ie 0 is additive identity (zeroelement)
2. If P = (x,y), thenp = (x-y)
ie.(x, y) = (x, -y)
x same - .
7/31/2019 Elliptic Curve Lrp
34/50
3. If P and Q have different x-coordinates, then
the line PQ intersects the curve exactly at onemore point R, and
P + Q = -R (mirror image = -R)
4. If Q = -P, P +Q =0
(ie. Q has same x buty)
5.
If P=Q, then let l be tangent line to the curve at P
ELLIPTIC CURVES CRYPTOSYSTEM (ECC)
7/31/2019 Elliptic Curve Lrp
35/50
ELLIPTIC CURVES CRYPTOSYSTEM (ECC) :-
Let p > 3 be prime. The elliptic curve y2 = x3 +ax +b
Over Zp is the set of solutions (x,y) Zp x Zp to thecongruence
y2 x3 +ax +b (mod p)Where a, b Zp are constants such that
4a3 + 27b3 0 (mod p),Together with a special point 0 called point at infinity
Let P = (x1 y1), Q = (x2 y2)
P + Q = R = (x3, y3)X3 = 2 - x1x2Y3 = (x1- x3)y1
7/31/2019 Elliptic Curve Lrp
36/50
= y2y1x2x1
, if P Q
3x12 + a
2y1, if P = Q
E L t EC b 2 3 6 Z
7/31/2019 Elliptic Curve Lrp
37/50
Ex :- Let EC be y2 = x3 +x + 6 over Z111. Determine thepoints on E, for this by looking
at each possible x Z11 computing x3 +x + 6mod 11 is a quadratic residue by applying rulers
criterion.
quadratic residue y2 a mod 11x = 0, y2 = 6x = 1 y2 = 8
x = 2 y2 = 5
x = 3 y2 = 3
x = 4 y2 = 8x = 5 y2 = 4 QR11x = 6 y2 = 8
x = 7 y2 = 4
x = 8 2 = 9
(= 23 + 2 +6 mod 11
= 8+8 mod 11=5)( = 32 + 3 + 6
= 27 +3 +6 =36)
QR11
x = 9 y2 = 7
7/31/2019 Elliptic Curve Lrp
38/50
x = 9 y2 = 7
x = 10 y2 = 4 QR11
QR (11) = {1, 3, 4, 5, 9}12 = 1 mod 11
22 = 4 mod 11
32
= 9 mod 1142 = 16 mod 11= 5
52 = 25 mod 11= 3
62 = 36 mod 11= 3
72 = 49 mod 11= 582 = 64 mod 11= 9
92 = 81 mod 11= 4
102
= 100 mod 11= 1
QR (11) = { 2, 6 ,7, 8, 10 }
7/31/2019 Elliptic Curve Lrp
39/50
* Explicit formula to compute square roots of
quadratic residue mod p for primes p 3 (mod 4)
* By this formula,We have square roots of a quadratic residue Z are
= z (11+1)/4 mod11 = z 1 2/4 mod 11
= z 3 mod 11
* Let x =2, y2 = 5 mod 11y = 53 mod 11
= 125 mod 111
= 4 mod 11+ve = 4
-ve = -4 mod 11 = 7
* Points (x, y) (2,4)(2,7)
z (p+1)/4 mod p
7/31/2019 Elliptic Curve Lrp
40/50
x = 3, y2 = 3 mod 11
y = 33 mod 11= 27 mod 11= 5
+ve = 5-ve = -5 mod 11 = 6
Points (x, y) (3, 5), (3, 6)
* Points on the elliptic curve y2 = x3 +x + 6
7/31/2019 Elliptic Curve Lrp
41/50
* Points on the elliptic curve y = x +x + 6
over mod 11. Ie over Z11* Remember 4a3 + 27b3 0 mod 11
Here a = 1, b = 64.13 + 27.63 0 mod 114 + 5.3 0 mod 11
* P +12 p # E p +1 + 2 p# No. of point on EC.
* Any point other than point at infinity is a generator
of E, if it has prime no. of points.Let = (2, 7)Is this a generators
Ie. 2, 3, 4-------------- must be points on EC
* 2 (2 7) (2 7)
7/31/2019 Elliptic Curve Lrp
42/50
* 2 = (2, 7) + (2, 7)= 3x12 + a if P = Q
2y1
(3.22 +1) (12 +1) 2
2.7 14 3
=2 x 4 = 8 (mod11)
2p = p + p
= = = 2 x 3-1
22 = (5,2)
X3 = 2x1- x2 8222 = 5
Y3 = (x1x2)y1 8 (2-5)-7 =2
7/31/2019 Elliptic Curve Lrp
43/50
* Similarly 3 = 2 + =(5,2) + (2,7)
P + Q = y2y1 if P Qx2x1
X3 = 2x1x2Y3 = (x1- x3)y1X3 = 2252 mod 11
= 8
Y3 = 2(5-8)-2 mod 11= 3
3 = 81 3
=7-2
2-5
= 5-3
= 5 x 8-1
=5 x 7=2
2
7/31/2019 Elliptic Curve Lrp
44/50
x X2+x+6mod11
In QR(11)? Y Points onEC
0 6 no
1 8 no
2 5 yes 4, 7 (2, 4)(2,7)
3 3 yes 5, 6 (3, 5) (3,6)
4 8 no
5 4 yes 2, 9 (5, 2) (5,9)
6 8 no
7 4 yes 2, 9 (7, 2) (7,
7/31/2019 Elliptic Curve Lrp
45/50
MenezesVastone ECC(1993):-
* Journal of Cryptology, 6 (1993) pp 209-214
* IEEE Trans. on IT, 39,(1993) pp 1639 - 1646(1) Let E be an elliptic curve over Zp, P>3 and
prime such that E contains a cyclic subgroup H
in which in which discrete log prob.isintractible.
(2) Let P = Zp* x Zp
*
C = E x Zp*
x Zp*
andK = {(E, , a : = a )}where E.
(3) and are publicand a is secret
7/31/2019 Elliptic Curve Lrp
46/50
(4) For K = ( E, , a, ), for a secret randomNumber k Z|H| and for x = (x1, x2) Zp*x Zp*
(5) Define ek (x1 k) = (y0 y1 y2)pt.
(6) For a cipher text y
y = (y0, y
1,y
2)
Define
dk(y) = (y1 c1-1 mod p, y2 c2
-1 mod p)
Where ay0 =(C1, C2)
Note :- (i) x = (x1, x2) Zp*x Zp*is not a point on E.
(ii) k a secret random number
Z|H|
y0 =k(c1, c2) =k[=ax]y1 =c1x1 mod p
y2 =c2x2 mod p
Menezes Vanstone ECC basd on E1 Gamal
7/31/2019 Elliptic Curve Lrp
47/50
MenezesVanstone ECC basd on E1 Gamal
Encryption Scheme
Plaintextx(9,1)
chooses
random(k)= 6
Cipher texty
a secret key(a)
=7
y0 = (7, 9)
y1 = 6y2 = 3
Y =(y0, y1,y2)
(E, , )
= a
Bs public key
A B
SENDER
RECEIVER
X EC B t
7/31/2019 Elliptic Curve Lrp
48/50
X EC
X = (x1, x2) point
X Zp*x Zp*
Zp* - field
Prime, p > 3
= (2, 7)generator of EC or
Primitive elements of
Computes (y0 y1 y2)y0 = k.y1 = c1x1 mod p
y2
= c2
x2
mod p
Kobnitz (1987)
Miller (1986)
Menzes (1993)
Menzes- vaustone
1993
MOV (1994)
B computes
(c1, c2) = a y0
Secret of B
(c1,c2) = a.y0 (7.9)
y0EC(--,--)
(8, 3)
c1 = 8, c2 = 3
X = (y1c1
-1 mod p,
y2c2-1 mod p)
= (9,1)
(9, 1)
E1 G l E ti i EC
7/31/2019 Elliptic Curve Lrp
49/50
E1 Gamel Encryption using EC:-
Let = (2, 7) and Bs Secret (key) exponent is, so = 7. = (7, 2)
a = 7 By ECC7p = kp
Point onEC
Sender Ax1k Receiver B a1y
Now A wants to encrypt the plaintext x = (x1,x2)= (9,1), where x is not a point on E and chooses the
random value k = 6.
A computes y0 = k = 6 (2,7) = (7,9)and k= 6 (7,2) = (8,3)
= (c1 c2)
so c1 = 8 and c2 = 3
Next A calculates (y1) = c1x1 mod p = 8 x 9 mod11
7/31/2019 Elliptic Curve Lrp
50/50
Next A calculates (y1) c1x1 mod p 8 x 9 mod11
= 6
and (y2) = c2x2 mod p = 3 x 1 mod 11
= 3Thus cipher-text A sends is
y = (y0, y1, y2) = [(7, 9), 6, 3 ]
When B receives the ciphertext y,B computes (c1, c2) = a y0 = 7 (7, 9) = (8, 3)
And then x = (y1 c1-1 mod p, y2 c2
-1 mod p)
= (6 x 8
-1
mod 11, 3 x 3
-1
mod 11)= (6 x 7 mod 11, 3 x 4 mod 11)
= (9, 1)
Hence the decryption yields the correct plaintext.