ECC Elliptic Curve Cryptography - Politecnico di Milanohome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=teaching:ecc... · • an elliptic curve E ... • curve E has the property

Foundations of Cryptography - ECC pp. 1 / 31

ECCElliptic Curve Cryptography


Elliptic Curve• an elliptic curve E is a smooth, projective, algebraic

curve defined by the following equation:

that has no cusps or self-intersections, and includes also special points at infinity

• point P(x, y) is on curve E if the coordinates x and yof P satisfy the equation of curve E

• the coefficients of curve E and the coordinates ofthe points P(x, y) of E are elements of a field K

• for cryptographic use K is always a finite field• for the initial explanation it is useful to consider

curves defined over the field R of real numbers

Kaaxaxaxyaxyay i ,542

33

212


Group Law• the points P of elliptic curve E constitute an

additive (abelian or commutative) group with respect to a certain point addition rule

• the sum of two points P and Q of curve E is another point of the same curve E

• the point at infinity of curve E, denoted O, is the identity element (neutral element) of the group

• the opposite P of a point P of curve E is the point symmetric of P with respect the x axis (abscissa axis of the plane)– elliptic curves are always symmetric with respect to

the abscissa axis of the plane


Point Addition• the basic operation of the group is point addition• curve E has the property that a straight line

always intercepts E in three points (not necessarily all distinct from one another)

• take two points P and Q on curve E, then to obtain the sum of P and Q do as follows:– draw the straight line passing through P and Q– the line intercepts the curve in a third point S– the sum point of P and Q is the opposite of point S

• this construction of called “rule of the chord”


Point Addition – Representation

xP + Q

SxP x

Qx

curve E is supposed defined on the field R of real numbers(to have a geometric representation)

rule of the chord


Point Doubling

• point doubling is a special case of point addition• point doubling is the sum of point P to itself:

P P 2P• to obtain point 2P do as follows:

– instead of drawing the straight line through P and Q– draw the tangent to curve E in the point P– tangent intercepts curve E in a third point S– the opposite of point S is point 2P

• this construction of called “rule of the tangent”


Point Doubling – Representation

x2P

SxPx

curve E is supposed defined on the field R of real numbers(to have a geometric representation)

rule of the tangent


Iterated Addition – k P• the sum of a point P of E to itself can be

repeated for k 2 times:k P P P … P (for k times)

• for every integer k 2, point k P is a point of E• moreover pose:

1P P 0P O (point at infinity)k P k (P) (P) (P) … (P) (for k times)

and thus allow k to be any integer (, , 0)• k P is named “iterated sum” of P or simply “k P

operation” (sometimes “scalar multiplication”)


Curve on a Finite Field• elliptic curves can be restricted over finite fields:

– the coefficients of the equation of the curve belong to a finitefield K (of modular or polynomial type)

• the points P(x, y) of a curve E over a finite field K have coordinates x and y belonging to field K as well

• thus an elliptic curve over a finite field necessarily has finitely many points

• and the additive group of the points of an elliptic curve over a finite field is a finite group itself

• there is not any geometric representation of the group law, but the points of the curve can represented exactly


Cryptographic Use• Koblitz and Miller proposed to define the

discrete logarithm problem (DLP) in the group of the points of an elliptic curve over a finite field

• take a curve E over a finite field K and a point Pof E, then:– given an integer k, it is relatively easy to find point

Q k P (point Q is the iterated sum of P)– but given point Q such that there exists an integer k

with Q k P, it is very difficult to find such integer k• the second (difficult) problem is called Elliptic

Curve Discrete Logarithm Problem (ECDLP)


Order – Group and Point

• the group of the points of an elliptic curve E over a finite field K is denoted E(K)

• the order (i.e. the size) of group E(K) is the number of points of curve E and is denoted #E

• the order of a point P of curve E is the minimum integer n such that n P O (point at infinity)

• if the order of group E(K) is prime, the group is necessarily cyclic and all the points of curve Ehave an order equal to the order of the group


Order – Cyclic (sub)groups• for any curve E over a finite field K, it can be

proved that the order of group E(K) is:– either a prime (see before)– or a composite number

• in the former case E(K) is itself a cyclic group, where ECDLP can be defined directly

• in the latter case the ECDLP must be formulated in a cyclic subgroup of prime order through finding a sufficiently large factor of the curve order #E


Order – How to Find a Curve

• it is necessary to construct elliptic curves with a group E(K) of sufficiently large order

• to construct a curve means to find the coefficients of the equation of the curve

• there are two methods for constructing elliptic curves suited to cryptographic use:– generate a random curve and count the number of

points it has (discard the curve if points are too few)– use an algorithm for generating a curve with

a predetermined order


Security of ECC• the security level of the Elliptic Curve Discrete

Log. Problem (ECDLP) depends on several factors and parameters, for instance:– underlying finite field K– structure of the elliptic curve E– order of entire group E(K)– order of specific curve points to use

• thus the choice of the appropriate curve to use is a crucial problem for cryptography

• a few curves where ECDLP has good security level are known and have been standardized


ECC over GF(p)

• for cryptographic purposes elliptic curves are defined over modular (prime) fields GF(p) or binary extension fields GF(2n) (for some n 1)

• in a few rare cases other fields are used, likefor instance the ternary extension fields GF(3n)

• here attention is restricted to fields GF(p)• a curve over GF(p) (with p 2,3) can always be

put, via a change of coordinates, in the form:

)(,,0274, 2332 pGFbababxaxy


ECC over GF(p)• the geometric “rule of chord and tangent” shown

for curves over the real field can not be used directly in the finite fields GF(p)

• in GF(p) it is necessary to express the sum and doubling of points in terms of algebraic formulas on the coordinates of the points

• in GF(p) the opposite –P of a point P(x, y) is obtained by changing the sign of coordinate yof P (of course the change is mod p)

coord. of –P (x, –y mod p) (x, p – y)


ECC Point Addition

• the sum of two points P(x1, y1) and Q(x2, y2) is obtained from the algebraic equation of the straight line through P and Q, which is:

(x2 – x1) / (y2 – y1) (angular coefficient) y1 – x1 (intercept on axis y)y x (line equation)

• create the algebraic system of line and curve• and with some passages the coordinates of the

sum point are obtained (see next)


ECC Point Addition

y2 x3 ax+b• the system of straight line and curve equations

is of degree three• such a system has three different solutions• call solutions on the x axis: x1, x2 and x3

• equation system has the following resolvent( x ) 2 x 3 ax+b(x – x1) (x – x2) (x – x3) 0


ECC Point Addition

• resolvent can be rewritten as follows:x3 2 x2 (2 +a) x (2+b) 0x3 (x1 x2 x3) x2 (x1 x2 x1 x3 x2 x3) x x1 x2 x3 0

• set 2 equal to the coefficient of x2 in the 2nd eq.:2 (x1 x2 x3) x3 2 x1 x2

• now x3 is known and it is possible to substitute it in the equation of the line, remembering that the obtained y is the opposite of the requested y3


ECC Point Doubling

• point doubling is the same as point addition• but instead of a line passing through two points,

the tangent to the curve through P(x1, y1) is used• the equation of the tangent line is

(3x12 1) / (2y1)

y1 x1

• then apply the same passages as point addition (here are omitted) and obtain the x coordinate of point 2P (and then also the y coordinate)


Point Addition and Doubling


EC Diffie-Hellmann

• it is possible to define a Diffie-Hellman key exchange protocol for the group of the points of an elliptic curve

• first users agree on the following items:– a finite field Fq

– an elliptic curve E defined over field Fq (and thus they agreeon a group of points E(Fq))

– and a base point P of known order n

• then every user selects a secret key, i.e. selects a random integer 0 < ks < n

• finally every user computes his public key as Kp ks P


EC Diffie-Hellmann

• users A and B have secret keys ksA, ksBand public keys KpA, KpB, respectively:– user A obtains the public key of B and

computes K ksA KpB

– user B obtains the public key of A and computes K ksB KpA

• now A and B share the common secret KK ksA KpB ksA ksB P ksB ksA P ksB KpA K


EC ElGamal• as in the case of Diffie-Hellmann key

exchange algorithm, also the ElGamalencryption algorithm can be extended to elliptic curves

• public parameters are defined as in the case of ECDH: E(Fq)

• user A sends an encrypted message to B• user B is equipped with a

– secret key: 0 < ksB < n– public key: KpB (n, P, ksB P)


EC – ElGamal Encryption• user A does the following actions:

– maps plaintext M to the finite field Fq(say M’ is the mapped plaintext)

– selects a random integer: 0 r n– and computes:

• point U r P (xU , yU)• point Q r KpB (xQ , yQ)

– The ciphertext is composed either as • (U, C M’ + Q) Or • (U, C M’ bitwise-xor xQ)


EC – ElGamal Decryption

• to decrypt, user B computes:– Q ksB U– Either

• M’ C - QOr• M’ C bitwise-xor xQ

– remaps field element M’ to cleartext M• both parties compute the same point Q:

Q r KpB r ksB P ksB r P ksB U Q


EC Digital Signature Algorithm

• the Digital Signature Algorithm (DSA) that works in the multiplicative group of a finite field can be redefined on elliptic curves too

• ECDSA – Elliptic Curve Digital Signature Algorithm

• simply replace the multiplicative group of a finite field Fq* with the group of the points of an elliptic curve E(Fq)

• details are at pag. 14 of the notes on ECs.


Scalar Multiplication• the basic operation in ECC is the “k P operation”

(sometimes also called “scalar multiplication”)• k P consists of the addition of P to itself k times• the standard algorithm for performing k P is

called “Double & Add” (D&A)• algorithm D&A is a rearrangement of algorithm

Square & Multiply (S&M) for exponentiation in modular (prime) fields

• rearrangement consists of replacing:– Square with Point Doubling– and Multiply with Point Addition


ECC – Security Level

• suppose to have:– a finite field K with elements of size of n bits– an ellitpic curve E over the same field K

• in general the Discrete Logarithm Problem (DLP) in the group E(K) of the points of E over K, is much more difficult than the DLP in the multiplicative group K* of K

• this may be false if curve E is badly chosen, for instancewhen the number of points of E is too small

• however there are methods for avoiding suchunfortunate situations (as mentioned before)


Security Level• for comparing the security levels of two

cryptographic algorithms A1 and A2, it iscustomary to specify for which field or key size(depending on the case) the costs of the mostefficient known attacks to A1 and A2 are equal

• see the next table for a comprehensivecomparison of some symmetric and asymmetricalgorithms (published by NIST)

• such comparison figure may change astechnology evolves and new more efficientattacks are discovered


Comparing Key Size and Algorithmfigures obtained from NIST

ECC Elliptic Curve Cryptography - Politecnico di Milanohome.deib.polimi.it/pelosi/lib/exe/fetch.php?media=teaching:ecc... · • an elliptic curve E ... • curve E has the property

Documents