Top Banner
Lecture 10: Elliptic Curve Cryptography Wayne Patterson SYCS 653 Fall 2009
61

Lecture 10: Elliptic Curve Cryptography

Jan 14, 2016

Download

Documents

glain

Lecture 10: Elliptic Curve Cryptography. Wayne Patterson SYCS 653 Fall 2009. Elliptic Curve Crypto (ECC). “Elliptic curve” is not a cryptosystem Elliptic curves are a different way to do the math in public key system Elliptic curve versions of DH, RSA, etc. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Lecture 10: Elliptic Curve Cryptography

Lecture 10:Elliptic Curve Cryptography

Wayne Patterson

SYCS 653

Fall 2009

Page 2: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Crypto (ECC)

• “Elliptic curve” is not a cryptosystem

• Elliptic curves are a different way to do the math in public key system

• Elliptic curve versions of DH, RSA, etc.

• Elliptic curves may be more efficient– Fewer bits needed for same security

– But the operations are more complex

Page 3: Lecture 10: Elliptic Curve Cryptography

What is an Elliptic Curve?

• An elliptic curve E is the graph of an equation of the form

y2 = x3 + ax + b

• Also includes a “point at infinity”

• What do elliptic curves look like?

• See the following!

Page 4: Lecture 10: Elliptic Curve Cryptography

Elliptic Curves

• Elliptic curves as algebraic/geometric entities have been studied extensively for the past 150 years, and from these studies has emerged a rich and deep theory. Elliptic curve systems as applied to cryptography were first proposed in 1985 independently by Neal Koblitz from the University of Washington, and Victor Miller, who was then at IBM, Yorktown Heights.

Page 5: Lecture 10: Elliptic Curve Cryptography

• Many cryptosystems often require the use of algebraic groups. Elliptic curves may be used to form elliptic curve groups. A group is a set of elements with custom-defined arithmetic operations on those elements. For elliptic curve groups, these specific operations are defined geometrically. Introducing more stringent properties to the elements of a group, such as limiting the number of points on such a curve, creates an underlying field for an elliptic curve group. Elliptic curves are first examined over real numbers in order to illustrate the geometrical properties of elliptic curve groups. Thereafter, elliptic curves groups are examined with the underlying fields of Fp (where p is a prime) and F2m (a binary representation with 2m elements).

Page 6: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Groups over Real Numbers

• An elliptic curve over real numbers may be defined as the set of points (x,y) which satisfy an elliptic curve equation of the form:

• y2 = x3 + ax + b, where x, y, a and b are real numbers. • Each choice of the numbers a and b yields a different

elliptic curve. For example, a = -4 and b = 0.67 gives the elliptic curve with equation y2 = x3 - 4x + 0.67; the graph of this curve is shown below:

• If x3 + ax + b contains no repeated factors, or equivalently if 4a3 + 27b2 is not 0, then the elliptic curve y2 = x3 + ax + b

• can be used to form a group. An elliptic curve group over real numbers consists of the points on the corresponding elliptic curve, together with a special point O called the point at infinity.

Page 7: Lecture 10: Elliptic Curve Cryptography

• P + Q = R is the additive property defined geometrically.

Page 8: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Addition: A Geometric Approach

• Elliptic curve groups are additive groups; that is, their basic function is addition. The addition of two points in an elliptic curve is defined geometrically.

The negative of a point P = (xP,yP) is its reflection in the x-axis: the point -P is (xP,-yP). Notice that for each point P on an elliptic curve, the point -P is also on the curve.

Page 9: Lecture 10: Elliptic Curve Cryptography

Adding distinct points P and Q

• Suppose that P and Q are two distinct points on an elliptic curve, and the P is not -Q. To add the points P and Q, a line is drawn through the two points. This line will intersect the elliptic curve in exactly one more point, call -R. The point -R is reflected in the x-axis to the point R. The law for addition in an elliptic curve group is P + Q = R. For example:

Page 10: Lecture 10: Elliptic Curve Cryptography
Page 11: Lecture 10: Elliptic Curve Cryptography

Adding the points P and -P

• The line through P and -P is a vertical line which does not intersect the elliptic curve at a third point; thus the points P and -P cannot be added as previously. It is for this reason that the elliptic curve group includes the point at infinity O. By definition, P + (-P) = O. As a result of this equation, P + O = P in the elliptic curve group . O is called the additive identity of the elliptic curve group; all elliptic curves have an additive identity.

Page 12: Lecture 10: Elliptic Curve Cryptography
Page 13: Lecture 10: Elliptic Curve Cryptography

Doubling the point P

• To add a point P to itself, a tangent line to the curve is drawn at the point P. If yP is not 0, then the tangent line intersects the elliptic curve at exactly one other point, -R. -R is reflected in the x-axis to R. This operation is called doubling the point P; the law for doubling a point on an elliptic curve group is defined by:

P + P = 2P = R.

Page 14: Lecture 10: Elliptic Curve Cryptography

• The tangent from P is always vertical if yP = 0.

Page 15: Lecture 10: Elliptic Curve Cryptography

Doubling the point P if yP = 0

• If a point P is such that yP = 0, then the tangent line to the elliptic curve at P is vertical and does not intersect the elliptic curve at any other point.

By definition, 2P = O for such a point P.

If one wanted to find 3P in this situation, one can add 2P + P. This becomes P + O = P Thus 3P = P.

3P = P, 4P = O, 5P = P, 6P = O, 7P = P, etc.

Page 16: Lecture 10: Elliptic Curve Cryptography
Page 17: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Addition: An Algebraic Approach

• Although the previous geometric descriptions of elliptic curves provides an excellent method of illustrating elliptic curve arithmetic, it is not a practical way to implement arithmetic computations. Algebraic formulae are constructed to efficiently compute the geometric arithmetic.

Page 18: Lecture 10: Elliptic Curve Cryptography

Adding distinct points P and Q • When P = (xP,yP) and Q = (xQ,yQ) are not

negative of each other,

P + Q = R where

s = (yP - yQ) / (xP - xQ)

xR = s2 - xP - xQ and yR = -yP + s(xP - xR)

Note that s is the slope of the line through P and Q.

Page 19: Lecture 10: Elliptic Curve Cryptography

Doubling the point P

• When yP is not 0,

2P = R where

s = (3xP2 + a) / (2yP )

xR = s2 - 2xP and yR = -yP + s(xP - xR)

Recall that a is one of the parameters chosen with the elliptic curve and that s is the tangent on the point P.

Page 20: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Picture

• Consider elliptic curveE: y2 = x3 - x + 1

• If P1 and P2 are on E, we can define

P3 = P1 + P2

as shown in picture• Addition is all we need

P1

P2

P3

x

y

Page 21: Lecture 10: Elliptic Curve Cryptography

Points on Elliptic Curve

• Consider y2 = x3 + 2x + 3 (mod 5)x = 0 y2 = 3 no solution (mod 5)x = 1 y2 = 6 = 1 y = 1,4 (mod 5)x = 2 y2 = 15 = 0 y = 0 (mod 5)x = 3 y2 = 36 = 1 y = 1,4 (mod 5)x = 4 y2 = 75 = 0 y = 0 (mod 5)

• Then points on the elliptic curve are

(1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and the point at infinity:

Page 22: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Math

• Addition on: y2 = x3 + ax + b (mod p)P1=(x1,y1), P2=(x2,y2)

P1 + P2 = P3 = (x3,y3) where

x3 = m2 - x1 - x2 (mod p)

y3 = m(x1 - x3) - y1 (mod p)

And m = (y2-y1)(x2-x1)-1 mod p, if P1P2

m = (3x12+a)(2y1)-1 mod p, if P1 = P2

Special cases: If m is infinite, P3 = , and

+ P = P for all P

Page 23: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Addition

• Consider y2 = x3 + 2x + 3 (mod 5). Points on the curve are (1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and

• What is (1,4) + (3,1) = P3 = (x3,y3)?

m = (1-4)(3-1)-1 = -32-1

= 2(3) = 6 = 1 (mod 5)

x3 = 1 - 1 - 3 = 2 (mod 5)

y3 = 1(1-2) - 4 = 0 (mod 5)

• On this curve, (1,4) + (3,1) = (2,0)

Page 24: Lecture 10: Elliptic Curve Cryptography

ECC Diffie-Hellman

• Public: Elliptic curve and point (x,y) on curve

• Secret: Alice’s A and Bob’s B

Alice, A Bob, B

A(x,y)

B(x,y)

• Alice computes A(B(x,y)) • Bob computes B(A(x,y))• These are the same since AB = BA

Page 25: Lecture 10: Elliptic Curve Cryptography

ECC Diffie-Hellman

• Public: Curve y2 = x3 + 7x + b (mod 37) and

point (2,5) b = 3• Alice’s secret: A = 4• Bob’s secret: B = 7• Alice sends Bob: 4(2,5) = (7,32)• Bob sends Alice: 7(2,5) = (18,35)• Alice computes: 4(18,35) = (22,1)• Bob computes: 7(7,32) = (22,1)

Page 26: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Groups over Fp

• Calculations over the real numbers are slow and inaccurate due to round-off error. Cryptographic applications require fast and precise arithmetic; thus elliptic curve groups over the finite fields of Fp and F2m are used in practice.

Recall that the field Fp uses the numbers from 0 to p - 1, and computations end by taking the remainder on division by p. For example, in F23 the field is composed of integers from 0 to 22, and any operation within this field will result in an integer also between 0 and 22.

An elliptic curve with the underlying field of Fp can formed by choosing the variables a and b within the field of Fp. The elliptic curve includes all points (x,y) which satisfy the elliptic curve equation modulo p (where x and y are numbers in Fp).

Page 27: Lecture 10: Elliptic Curve Cryptography

• For example: y2 mod p = x3 + ax + b mod p has an underlying field of Fp if a and b are in Fp.

If x3 + ax + b contains no repeating factors (or, equivalently, if 4a3 + 27b2 mod p is not 0), then the elliptic curve can be used to form a group. An elliptic curve group over Fp consists of the points on the corresponding elliptic curve, together with a special point O called the point at infinity. There are finitely many points on such an elliptic curve.

Page 28: Lecture 10: Elliptic Curve Cryptography

Example of an Elliptic Curve Group over Fp

• As a very small example, consider an elliptic curve over the field F23. With a = 1 and b = 0, the elliptic curve equation is y2 = x3 + x. The point (9,5) satisfies this equation since:

y2 mod p = x3 + x mod p

25 mod 23 = 729 + 9 mod 23

25 mod 23 = 738 mod 23

2 = 2

The 23 points which satisfy this equation are:

(0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5)

(13,18) (15,3) (15,20) (16,8) (16,15) (17,10) (17,13) (18,10)

(18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17)

These points may be graphed as below:

Page 29: Lecture 10: Elliptic Curve Cryptography
Page 30: Lecture 10: Elliptic Curve Cryptography

• Note that there is two points for every x value. Even

though the graph seems random, there is still symmetry about y = 11.5. Recall that elliptic curves over real numbers, there exists a negative point for each point which is reflected through the x-axis. Over the field of F23, the negative components in the y-values are taken modulo 23, resulting in a positive number as a difference from 23. Here -P = (xP, (-yP mod 23))

• Note that these rules are exactly the same as those for elliptic curve groups over real numbers, with the exception that computations are performed modulo p.

Page 31: Lecture 10: Elliptic Curve Cryptography

Arithmetic in an Elliptic Curve Group over Fp

• There are several major differences between elliptic curve groups over Fp and over real numbers. Elliptic curve groups over Fp have a finite number of points, which is a desirable property for cryptographic purposes. Since these curves consist of a few discrete points, it is not clear how to "connect the dots" to make their graph look like a curve. It is not clear how geometric relationships can be applied. As a result, the geometry used in elliptic curve groups over real numbers cannot be used for elliptic curve groups over Fp. However, the algebraic rules for the arithmetic can be adapted for elliptic curves over Fp. Unlike elliptic curves over real numbers, computations over the field of Fp involve no round off error - an essential property required for a cryptosystem.

Page 32: Lecture 10: Elliptic Curve Cryptography

Adding distinct points P and Q

• The negative of the point P = (xP, yP) is the point -P = (xP, -yP mod p). If P and Q are distinct points such that P is not -Q, then

P + Q = R where

s = (yP - yQ) / (xP - xQ) mod p

xR = s2 - xP - xQ mod p and yR = -yP + s(xP - xR) mod p

Note that s is the slope of the line through P and Q.

Page 33: Lecture 10: Elliptic Curve Cryptography

Doubling the point P

• Provided that yP is not 0,

2P = R where

s = (3xP2 + a) / (2yP ) mod p

xR = s2 - 2xP mod p and yR = -yP + s(xP - xR) mod p

Recall that a is one of the parameters chosen with the elliptic curve and that s is the slope of the line through P and Q.

Page 34: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Groups over F2m

• Elements of the field F2m are m-bit strings. The rules for arithmetic in F2m can be defined by either polynomial representation or by optimal normal basis representation. Since F2m operates on bit strings, computers can perform arithmetic in this field very efficiently.

An elliptic curve with the underlying field F2m is formed by choosing the elements a and b within F2m (the only condition is that b is not 0). As a result of the field F2m having a characteristic 2, the elliptic curve equation is slightly adjusted for binary representation:

y2 + xy = x3 + ax2 + b

The elliptic curve includes all points (x,y) which satisfy the elliptic curve equation over F2m (where x and y are elements of F2m ). An elliptic curve group over F2m consists of the points on the corresponding elliptic curve, together with a point at infinity, O. There are finitely many points on such an elliptic curve.

Page 35: Lecture 10: Elliptic Curve Cryptography

An Example of an Elliptic Curve Group over F2m

• As a very small example, consider the field F24, defined by using polynomial representation with the irreducible polynomial f(x) = x4 + x + 1.

The element g = (0010) is a generator for the field . The powers of g are:

g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) g4 = (0011) g5 = (0110)

g6 = (1100) g7 = (1011) g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110)

g12 = (1111) g13 = (1101) g14 = (1001) g15 = (0001)

In a true cryptographic application, the parameter m must be large enough to preclude the efficient generation of such a table otherwise the cryptosystem can be broken. In today's practice, m = 160 is a suitable choice. The table allows the use of generator notation (ge) rather than bit string notation, as used in the following example. Also, using generator notation allows multiplication without reference to the irreducible polynomial

f(x) = x4 + x + 1.

Page 36: Lecture 10: Elliptic Curve Cryptography

• Consider the elliptic curve y2 + xy = x3 + g4x2 + 1. Here a = g4 and b = g0 =1. The point (g5, g3) satisfies this equation over F2m :

y2 + xy = x3 + g4x2 + 1

(g3)2 + g5g3 = (g5)3 + g4g10 + 1

g6 + g8 = g15 + g14 + 1

(1100) + (0101) = (0001) + (1001) + (0001)

(1001) = (1001)

The fifteen points which satisfy this equation are:

(1, g13) (g3, g13) (g5, g11) (g6, g14) (g9, g13) (g10, g8) (g12, g12)

(1, g6) (g3, g8) (g5, g3) (g6, g8) (g9, g10) (g10, g) (g12, 0) (0, 1)

These points are graphed below:

Page 37: Lecture 10: Elliptic Curve Cryptography
Page 38: Lecture 10: Elliptic Curve Cryptography

Arithmetic in an Elliptic Curve Group over F2m

• Elliptic curve groups over F2m have a finite number of points, and their arithmetic involves no round off error. This combined with the binary nature of the field, F2m arithmetic can be performed very efficiently by a computer.

The following algebraic rules are applied for arithmetic over F2m :

Page 39: Lecture 10: Elliptic Curve Cryptography

Adding distinct points P and Q

• The negative of the point P = (xP, yP) is the point -P = (xP, xP + yP). If P and Q are distinct points such that P is not -Q, then

P + Q = R where

s = (yP - yQ) / (xP + xQ)

xR = s2 + s + xP + xQ + a and yR = s(xP + xR) + xR + yP

As with elliptic curve groups over real numbers, P + (-P) = O, the point at infinity. Furthermore, P + O = P for all points P in the elliptic curve group.

Page 40: Lecture 10: Elliptic Curve Cryptography

Doubling the point P

• If xP = 0, then 2P = O

Provided that xP is not 0,

2P = R where

s = xP + yP / xP

xR = s2+ s + a and yR = xP2 + (s + 1) * xR

Recall that a is one of the parameters chosen with the elliptic curve and that s is the slope of the line through P and Q

Page 41: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve groups and the Discrete Logarithm Problem

• At the foundation of every cryptosystem is a hard mathematical problem that is computationally infeasible to solve. The discrete logarithm problem is the basis for the security of many cryptosystems including the Elliptic Curve Cryptosystem. More specifically, the ECC relies upon the difficulty of the Elliptic Curve Discrete Logarithm Problem (ECDLP).

Recall that we examined two geometrically defined operations over certain elliptic curve groups. These two operations were point addition and point doubling. By selecting a point in a elliptic curve group, one can double it to obtain the point 2P. After that, one can add the point P to the point 2P to obtain the point 3P. The determination of a point nP in this manner is referred to as Scalar Multiplication of a point. The ECDLP is based upon the intractability of scalar multiplication products.

Page 42: Lecture 10: Elliptic Curve Cryptography

Scalar Multiplication

• The following animation demonstrates scalar multiplication through the combination of point doubling and point addition.

While it is customary to use additive notation to describe an elliptic curve group (as has been done previously in this classroom), some insight is provided by using multiplicative notation. Specifically, consider the operation called "scalar multiplication" under additive notation: that is, computing kP by adding together k copies of the point P. Using multiplicative notation, this operation consists of multiplying together k copies of the point P, yielding the point P*P*P*P*…*P = Pk.

Page 43: Lecture 10: Elliptic Curve Cryptography

The Elliptic Curve Discrete Logarithm Problem

• In the multiplicative group Zp*, the discrete logarithm problem is: given elements r and q of the group, and a prime p, find a number k such that r = qk mod p. If the elliptic curve groups is described using multiplicative notation, then the elliptic curve discrete logarithm problem is: given points P and Q in the group, find a number that Pk = Q; k is called the discrete logarithm of Q to the base P. When the elliptic curve group is described using additive notation, the elliptic curve discrete logarithm problem is: given points P and Q in the group, find a number k such that Pk = Q

Example:

In the elliptic curve group defined by

y2 = x3 + 9x + 17 over F23,

What is the discrete logarithm k of Q = (4,5) to the base P = (16,5)?

Page 44: Lecture 10: Elliptic Curve Cryptography

• One (naïve) way to find k is to compute multiples of P until Q is found. The first few multiples of P are:

P = (16,5) 2P = (20,20) 3P = (14,14) 4P = (19,20) 5P = (13,10) 6P = (7,3) 7P = (8,7) 8P = (12,17) 9P = (4,5)

Since 9P = (4,5) = Q, the discrete logarithm of Q to the base P is k = 9.

In a real application, k would be large enough such that it would be infeasible to determine k in this manner.

Page 45: Lecture 10: Elliptic Curve Cryptography

An Example of the Elliptic Curve Discrete Logarithm Problem

• What is the discrete logarithm of Q(-0.35,2.39) to the base P(-1.65,-2.79) in the elliptic curve group y2 = x3 - 5x + 4 over real numbers?

Page 46: Lecture 10: Elliptic Curve Cryptography

Diffie-Hellman

Page 47: Lecture 10: Elliptic Curve Cryptography

Diffie-Hellman

• Invented by Williamson (GCHQ) and, independently, by D and H (Stanford)

• A “key exchange” algorithm– Used to establish a shared symmetric key

• Not for encrypting or signing

• Security rests on difficulty of discrete log problem: given g, p, and gk mod p find k

Page 48: Lecture 10: Elliptic Curve Cryptography

Diffie-Hellman

• Let p be prime, let g be a generator – For any x {1,2,…,p-1} there is n s.t. x = gn mod p

• Alice selects secret value a• Bob selects secret value b• Alice sends ga mod p to Bob• Bob sends gb mod p to Alice• Both compute shared secret gab mod p• Shared secret can be used as symmetric key

Page 49: Lecture 10: Elliptic Curve Cryptography

Diffie-Hellman

• Suppose that Bob and Alice use gab mod p as a symmetric key

• Trudy can see ga mod p and gb mod p• Note ga gb mod p = ga+b mod p gab

mod p• If Trudy can find a or b, system is broken• If Trudy can solve discrete log problem,

then she can find a or b

Page 50: Lecture 10: Elliptic Curve Cryptography

Diffie-Hellman

• Public: g and p• Secret: Alice’s exponent a, Bob’s exponent b

Alice, a Bob, b

ga mod p

gb mod p

• Alice computes (gb)a = gba = gab mod p • Bob computes (ga)b = gab mod p• Could use K = gab mod p as symmetric key

Page 51: Lecture 10: Elliptic Curve Cryptography

Diffie-Hellman

• Subject to man-in-the-middle (MiM) attack

Alice, a Bob, b

ga mod p

gb mod p

Trudy, t

gt mod p

gt mod p

• Trudy shares secret gat mod p with Alice • Trudy shares secret gbt mod p with Bob• Alice and Bob don’t know Trudy exists!

Page 52: Lecture 10: Elliptic Curve Cryptography

Diffie-Hellman

• How to prevent MiM attack?– Encrypt DH exchange with symmetric key– Encrypt DH exchange with public key– Sign DH values with private key– Other?

• You MUST be aware of MiM attack on Diffie-Hellman

Page 53: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Cryptography

Page 54: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Crypto (ECC)

• “Elliptic curve” is not a cryptosystem

• Elliptic curves are a different way to do the math in public key system

• Elliptic curve versions of DH, RSA, etc.

• Elliptic curves may be more efficient– Fewer bits needed for same security

– But the operations are more complex

Page 55: Lecture 10: Elliptic Curve Cryptography

What is an Elliptic Curve?

• An elliptic curve E is the graph of an equation of the form

y2 = x3 + ax + b

• Also includes a “point at infinity”

• What do elliptic curves look like?

• See the next slide!

Page 56: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Picture

• Consider elliptic curveE: y2 = x3 - x + 1

• If P1 and P2 are on E, we can define

P3 = P1 + P2

as shown in picture• Addition is all we need

P1

P2

P3

x

y

Page 57: Lecture 10: Elliptic Curve Cryptography

Points on Elliptic Curve

• Consider y2 = x3 + 2x + 3 (mod 5)x = 0 y2 = 3 no solution (mod 5)x = 1 y2 = 6 = 1 y = 1,4 (mod 5)x = 2 y2 = 15 = 0 y = 0 (mod 5)x = 3 y2 = 36 = 1 y = 1,4 (mod 5)x = 4 y2 = 75 = 0 y = 0 (mod 5)

• Then points on the elliptic curve are

(1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and the point at infinity:

Page 58: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Math

• Addition on: y2 = x3 + ax + b (mod p)P1=(x1,y1), P2=(x2,y2)

P1 + P2 = P3 = (x3,y3) where

x3 = m2 - x1 - x2 (mod p)

y3 = m(x1 - x3) - y1 (mod p)

And m = (y2-y1)(x2-x1)-1 mod p, if P1P2

m = (3x12+a)(2y1)-1 mod p, if P1 = P2

Special cases: If m is infinite, P3 = , and

+ P = P for all P

Page 59: Lecture 10: Elliptic Curve Cryptography

Elliptic Curve Addition

• Consider y2 = x3 + 2x + 3 (mod 5). Points on the curve are (1,1) (1,4) (2,0) (3,1) (3,4) (4,0) and

• What is (1,4) + (3,1) = P3 = (x3,y3)?

m = (1-4)(3-1)-1 = -32-1

= 2(3) = 6 = 1 (mod 5)

x3 = 1 - 1 - 3 = 2 (mod 5)

y3 = 1(1-2) - 4 = 0 (mod 5)

• On this curve, (1,4) + (3,1) = (2,0)

Page 60: Lecture 10: Elliptic Curve Cryptography

ECC Diffie-Hellman

• Public: Elliptic curve and point (x,y) on curve

• Secret: Alice’s A and Bob’s B

Alice, A Bob, B

A(x,y)

B(x,y)

• Alice computes A(B(x,y)) • Bob computes B(A(x,y))• These are the same since AB = BA

Page 61: Lecture 10: Elliptic Curve Cryptography

ECC Diffie-Hellman

• Public: Curve y2 = x3 + 7x + b (mod 37) and

point (2,5) b = 3• Alice’s secret: A = 4• Bob’s secret: B = 7• Alice sends Bob: 4(2,5) = (7,32)• Bob sends Alice: 7(2,5) = (18,35)• Alice computes: 4(18,35) = (22,1)• Bob computes: 7(7,32) = (22,1)