Elliptic Curve Cryptography

Presented By
Nemi Chandra Rathore
[Link] WCC
IWC2008013

Indian Institute of Information Technology

1
Allahabad
 Outlines
 Introduction
 Public Key Cryptosystem
 Elliptic Curve
 Finite Fields on Elliptic Curve
 Elliptic Curve Cryptography
 References

Indian Institute of Information Technology

2
Allahabad
 Introduction
 The use of elliptic curves in cryptography was suggested
independently by Neal Koblitz and Victor S. Miller in 1985.

 The Elliptic curve cryptography (ECC) is an approach to public-key

cryptography based on the algebraic structure of elliptic curves over
finite fields.

 Security of Public-Key Cryptography depends on the difficulty of

solving the Hard Problems defined in Complexity Theory.

Indian Institute of Information Technology

3
Allahabad
Background of Public Key Cryptosystem
 The Cryptosystems based on following mathematical problem
are considered secure and efficient :
1. Integer Factorization problem (IFP)
Examples are RSA ,Rabin-Williams
2. Discrete Logarithm Problem (DLP)
U.S. Govt.’s DSA, Diffie-Hellman and MQV key agreement
scheme, the ElGamal encryption and signature scheme. etc
3. Elliptic Curve Discrete Logarithm Problem (ECDLP)
ECDSA , Elliptic Curve Diffie-Hellman & elliptic curve MQV key
agreement schemes the ElGamal encryption and signature
scheme etc.

Indian Institute of Information Technology

4
Allahabad
 None of these problems have been proven intractable but they
are believed to be intractable.

 Since 1985, ECC has received intense scrutiny from

cryptographers, mathematicians, and computer scientists
around the world. On the one hand, the fact that no significant
weaknesses have been found has led to high confidence in the
security of ECC.

 ECC has become more attractive rather than RSA and DSA.

5
Public Key Cryptosystem….

Indian Institute of Information Technology

Allahabad 6
Public Key Cryptosystem….

Indian Institute of Information Technology

7
Allahabad
 Introduction Continued …

 For Elliptic-curve-based protocols, it is assumed that finding the

discrete logarithm of an elliptic curve element is infeasible. The size
of the elliptic curve determines the difficulty of the problem.

 Over the past few years elliptic curve cryptography has been gaining
popularity and being standardized around the world by agencies
such as ANSI, IEEE and ISO.

 The U.S. National Security Agency has endorsed ECC technology by

including it in its Suite B set of recommended algorithms and allows
their use for protecting information classified up to top secret with
384-bit keys.

Indian Institute of Information Technology

8
Allahabad
 Elliptic Curve
 An elliptic curve is the set of solutions of an equation of the form

y2 = x3 + ax + b .
Where the co-efficeints a and b are elements of the field and
4a3 + 27b2 ≠ 0. Each value of the 'a' and 'b' gives a different elliptic curve.

 An equation of this kind can be studied over various mathematical

structures, such as a ring or a field.

 One interesting property of set of solutions of elliptic curve is that it forms a

group which enables us to do Cryptography. The public key is a point in the
curve and the private key is a random number. The public key is obtained by
multiplying the private key with the generator point G in the curve.

Indian Institute of Information Technology

9
Allahabad
 Elliptic Curve Continued …

Source :: [Link]
Indian Institute of Information Technology
10
Allahabad
 Elliptic Curve Continued …

Graphical Representation

Y axis

X axis

Curves of this nature

are called ELLIPTIC
CURVES

Indian Institute of Information Technology

11
Allahabad
 Elliptic Curve Continued …
Point Addition
 Point addition is the addition of two points J and K on an
elliptic curve to obtain another point L on the same elliptic
curve.

Fig. 1 a Definition of Point Addition operation in Elliptic Curve

Indian Institute of Information Technology
12
Allahabad
 Elliptic Curve Continued …
 An extra point at infinity O is added to the curve, which lies
infinitely far on the vertical axis. This point O will become the
identity of the elliptic curve group.

 Let J=(x1,y1) and K=(x2,y2) then the sum of J and K (where none
of them is O) is ,
L=J+K where L=(x3,y3)
where x 3 =  2 - x 1 - x2
y3 =  (x1 - x3) - y1
and  is the slope of the line and is given by following formula
 = (3x12+a)/2y1 if x1 = x2
 = (y2-y1)/(x2-x1) otherwise

Indian Institute of Information Technology

13
Allahabad
 Elliptic Curve Continued …
Point Doubling
 Point doubling is the addition of a point J on the elliptic
curve to itself to obtain another point L on the same elliptic
curve.

Indian Institute of Information Technology

14
Allahabad
 Point Multiplication
 In point multiplication a point P on the elliptic curve is
multiplied with a scalar k using elliptic curve equation to
obtain another point Q on the same elliptic curve
i.e. kP=Q

 Point multiplication is achieved by two basic elliptic curve

operations
 Point addition
 Point doubling,

 For example If k = 23 then kP = 23.P = 2(2(2(2P) + P) + P) + P.

Indian Institute of Information Technology

15
Allahabad
 The Abelian Group
 Given two points P,Q in E(Fp), there is a third point,
denoted by P+Q on E(Fp), and the following relations hold
for all P,Q,R in E(Fp)

• P + Q = Q + P (commutativity)

• (P + Q) + R = P + (Q + R) (associativity)
• P + O = O + P = P (existence of an identity element)

• there exists ( − P) such that − P + P = P + ( − P) = O

(existence of inverses)

Indian Institute of Information Technology

16
Allahabad
 Associativity

Indian Institute of Information Technology

17
Allahabad
 Finite Fields on Elliptic Curve
 The elliptic curve operations defined above are on real
numbers which will lead to slow Cryptographic operations.

 To make operations on elliptic curve accurate and more

efficient, the elliptic curve cryptography is defined over two
finite fields.
 Prime field Fp
 Binary field F2m

 The field is chosen with finitely large number of points suited

for cryptographic operations.
Indian Institute of Information Technology
18
Allahabad
 Elliptic Curve on Prime field Fp
 The equation of the elliptic curve on a prime field Fp is
y2 mod p= x3 + ax + b mod p, where 4a3 + 27b2 mod p ≠ 0.
Here the elements of the finite field are integers between 0
and p - 1. All the operations such as addition, subtraction,
division, multiplication involves integers between 0 and p – 1.

 The prime number p is chosen such that there is finitely large

number of points on the elliptic curve to make the
cryptosystem secure. SEC specifies curves with p ranging
between 112-521 bits.

SEC = Standards for Efficient Cryptography

Indian Institute of Information Technology

19
Allahabad
 Algebraic Rules for Prime Field FP
Point Addition
Let P=(x1,y1) and Q=(x2,y2) and the sum is L=(x3,y3)
where x3 = 2 - x1 - x2 mod P
y3 =  (x1 - x3) - y1 mod P
and  the slope of line is given by
 = (3x12+a)/2y1 if x1 = x2
 = (y2-y1)/(x2-x1) otherwise

Point Subtraction
It is defined as follows
J-K =J+(-K) where -K=(x2,-y2 mod P)

 Point Multiplication is also defined is similar way as defined for real

numbers only addition is the mod P operation.
Indian Institute of Information Technology
20
Allahabad
 EC on Binary Field F2m
 The equation of the elliptic curve on a binary field F2m is
y2 + xy = x3 + ax2 + b , where b ≠ 0.

 The elements of this finite field are integers of length at most

m bits that can be considered as a binary polynomial of degree
m – 1 with coefficients either 0 or 1. SEC specifies curves with m
ranging between 113-571 bits.

 Rules for point addition, doubling and multiplication are same as

before.

Indian Institute of Information Technology

21
Allahabad
 Elliptic Curve Cryptosystem
 Majority of public key cryptosystems (RSA,D-H) use either integer or
polynomial arithmetic with very large numbers/polynomials.

 Imposes a significant load in storing and processing keys and messages.

 An alternative is to use elliptic curves that offers same security with

smaller bit sizes.

 The security of ECC depends on the difficulty of Elliptic Curve Discrete

Logarithm Problem. Let P and Q be two points on an elliptic curve such
that kP = Q, where k is a scalar. Given P and Q, it is computationally
infeasible to obtain k, if k is sufficiently large. k is the discrete logarithm
of Q to the base P.

Indian Institute of Information Technology

22
Allahabad
 Elliptic Curve Domain parameters
 Apart from the curve parameters a and b, there are other parameters
that must be agreed by both parties involved in secured and trusted
communication using ECC. These are called domain parameters.

 The domain parameters for Elliptic curve over Fp are p, a, b, g, n and

h, where
 p is the prime number defined for finite field Fp
 a and b are the parameters defining the curve y2 mod p= x3 + ax + b mod
p.
 g is the generator point (xg, yg), a point on the elliptic curve chosen for
cryptographic operations.
 n is the order of the elliptic curve.
 h is the cofactor where h = #E(Fp)/n. #E(Fp) is the number of points on an
elliptic curve.

Indian Institute of Information Technology

23
Allahabad
 ECDH - Elliptic Curve Diffie Hellman
 ECDH is a key agreement protocol that allows two parties to
establish a shared secret key that can be used as a private key for
encryption algorithms.

 Both parties exchange some public information to each other. Using

this public data and their own private data these parties calculates
the shared secret. Any third party, who doesn't have access to the
private details of each device, will not be able to calculate the
shared secret from the available public information.

 For generating a shared secret between A and B using ECDH, both

have to agree up on Elliptic Curve domain parameters.

Indian Institute of Information Technology

24
Allahabad
 ECDH….
 Both end have a key pair consisting of a private key d (a randomly
selected integer less than n) and a public key Q = d * G (G is the
generator point, an elliptic curve domain parameter).

 Let (dA, QA) be the private key - public key pair of A and (dB, QB) be
the private key - public key pair of B
 The end A computes K = (xK, yK) = dA * QB
 The end B computes L = (xL, yL) = dB * QA
 Since dAQB = dAdBG = dBdAG = dBQA. Therefore K = L and hence xK = xL
 Hence the shared secret is xK.

 It is practically impossible to find the private key dA or dB

from the public key K or L, its not possible to obtain the shared
secret for a third party.
Indian Institute of Information Technology
25
Allahabad
ECDSA - Elliptic Curve Digital Signature Algorithm
 is used for authenticating a device or a message sent by the
device
 Signature Generation
To sign a message m, an entity A with domain parameters
(p,Ep(a,b),G,n) and associated key pair (x,Q) does the following:
1. Select an integer k such that 1 ≤ k ≤ n−1.
2. Compute kQ = (x1,y1).
3. Compute r = x1 (mod n). If r = 0 then go to step 1.
4. Compute k−1 (mod n).
5. Compute SHA-1(m) and convert this string to an integer H(m).
6. Compute s = k−1(H(m)+xr) (mod n). If s = 0, then go to step 1.
7. A’s signature for the message m is (r, s).
Indian Institute of Information Technology
26
Allahabad
 ECDSA ….
Signature Verification
To verify A’s signature (r, s) on m, B obtains an authentic copy of A’s
domain parameter (p,E (a,b),G,n) and associated public key Q. B
p

then does the following:

1. Verify that r and s are integers in the interval [1,n−1].
2. Compute SHA-1(m) and convert this string to an integer H(m).
3. Compute w = s (mod n).
−1

4. Compute u = H(m)w (mod n) and u = rw (mod n).

1 2

5. Compute X = (x2,y2) = u1G+u2Q.

6. If X = O , then reject the signature. Otherwise, compute v = x 2

(mod n).
7. Accept the signature if and only if v = r.

Indian Institute of Information Technology

27
Allahabad
 The Advantages of Elliptic Curve
Cryptography
 The biggest advantage of elliptic curve cryptography is the drastic
reduction in overhead associated with it.

 Take this side by side comparison of required key sizes to achieve

different levels of security for RSA modulus n and an elliptic curve
system with a security parameter n.

Security Level (bits) RSA key length Elliptic curve key

(bits) length (bits)
80 1,024 160

256 15,360 512

Indian Institute of Information Technology

28
Allahabad
 Comparable Key Sizes
(Based on Running Time)
EC D L , IF S y m m e tr ic

112 512 56

160 1024 80

224 2048 112

DL – Discrete Logarithm
IF - Integer Factorization

Indian Institute of Information Technology

29
Allahabad
 Elliptic Curve Security
 The security of the Elliptic Curve algorithm is based on the
fact that it is very difficult (as difficult as factoring) to solve the
Elliptic Curve Discrete Logarithm Problem:

 Given two points P and Q where Q = kP, find the value of k .

Indian Institute of Information Technology

30
Allahabad
 Applications of ECC
• Many devices are small and have limited storage and
computational power
• Where can we apply ECC?
– Wireless communication devices
– Smart cards
– Web servers that need to handle many encryption sessions
– Any application where security is needed but lacks the
power, storage and computational power that is
necessary for our current cryptosystems
 Benefits of ECC
Same benefits of the other cryptosystems:
confidentiality, integrity, authentication and
non-repudiation but…
Shorter key lengths
– Encryption, Decryption and Signature Verification
speed up
– Storage and bandwidth savings
 References
 [Link]
 [Link]
 Elliptic Curves and Their Application to Cryptography-An Introduction By
Andreas [Link] ,KLUWER ACADEMIC PUBLISHERS.
 HANDBOOK OF ELLIPTIC AND HYPERELLIPTIC CURVE CRYPTOGRAPHY by
HENRY COHEN & GERHARD FREY , Roberto Avanzi, Christophe Doche,
Tanja Lange,Kim Nguyen, and Frederik Vercauteren CHAPMAN &
HALL/CRC,TAYLOR & FRANCIS GROUP , Boca Raton London New York
Singapore.
 [Link]
 [Link]
 [Link]
 [Link]

Indian Institute of Information Technology

33
Allahabad
Thanks for Listening!

Questions?

Indian Institute of Information Technology

34
Allahabad