Elliptic Curves

Outline [1] Elliptic Curves over R [2] Elliptic Curves over GF(p) [3] Properties of Elliptic Curves [4] Point Compression and the ECIES [5] Computing Point Multiples on Elliptic Curves [6] GF(2m) [7] Elliptic Curves over GF(2m)

[1] Elliptic curves over R Definition Let Example:

Group operation + The point of infinity, O, will be the identity element Given

Group operation + Given Compute Addition Doubling

Example (addition): Given

Example (doubling): Given

[2] Elliptic Curves over GF(p) Definition Let Example:

Example: Find all (x, y) and O: Fix x and determine y O is an artificial point 12 (x, y) pairs plus O, and have #E=13

Example (continue): There are 13 points on the group E(Z11) and so any non-identity point (i.e. not the point at infinity, noted as O) is a generator of E(Z11). Choose generator Compute

Example (continue): Compute So, we can compute

Example (continue): Let’s modify ElGamal encryption by using the elliptic curve E(Z11). Suppose that and Bob’s private key is 7, so Thus the encryption operation is where and , and the decryption operation is

Example (continue): Suppose that Alice wishes to encrypt the plaintext x = (10,9) (which is a point on E). If she chooses the random value k = 3, then Hence . Now, if Bob receives the ciphertext y, he decrypts it as follows:

[3] Properties of Elliptic Curves Over a finite field Zp, the order of E(Zp) is denoted by #E(Zp). Hasse’s theorem Group structure of E(Zp) Let E be an elliptic curve defined over Zp, and p>3. Then there exists positive integers n1 and n2 such that Further,

[4] Point Compression and the ECIES Point compression Since p is odd, given a value for x, one of the two possible values of y mod p is even and the other is odd. Define point compression as follow

Example: As in the previous example, Point compression Point decompression So, POINTDECOMPRESS(7,1)=(7,9)

Elliptic Curve Integrated Encryption Scheme (ECIES) Cryptosystem 6.2 Let E be an elliptic curve defined over Zp, and p>3 such that E contains a cyclic subgroup H = <P> of prime order n. Let and define The values P,Q and n are the public key, and is the private key.

ECIES (continue) For K = (E, P, m, Q, n), for a (secret) random number , and for , define where For a ciphertext , where and , define where

Example: As in the previous example, suppose that and Bob’s private key is 7, so Suppose Alice wants to encrypt the plaintext x = 9, and she chooses the random value k = 6, Then so

Example (continue): Next, she calculates The ciphertext she sends to Bob is When Bob receives the ciphertext y, he computes Hence, the decryption yields the correct plaintext, 9.

[5] Computing Point Multiples on Elliptic Curves Use Double-and-Add (similar to square-and-multiply) Algorithm: DOUBLE-AND-ADD

Example: Compute 3895P

Use Double-and-(Add or Subtract) Elliptic curve has the property that additive inverses are very easy to compute. Signed binary representation Example: so are both signed binary representation of 11.

Non-adjacent form (NAF) A signed binary representation (cl-1, …, c0) of an integer c is said to be in non-adjacent form provided that no two consecutive ci’s are non-zero. The NAF representation of an integer is unique. A NAF representation contains more zeros than the traditional binary representation of a positive integer.

Transform a binary representation of a positive integer c into a NAF representation Example: Hence the NAF representation of (1,1,1,1,0,0,1,1,0,1,1,1) is (1,0,0,0,-1,0,1,0,0,-1,0,0,-1)

Double-and-(Add or Subtract) Algorithm 6 Double-and-(Add or Subtract) Algorithm 6.5: DOUBLE-AND-(ADD OR SUBTRACT)

Example: Compute 3895P

[6] GF(2m) GF(2m) in polynomial form Galois Field GF(2m) where Z2[x] is the set of polynomials with coefficient over Z2 and p(x) is an irreducible polynomial of degree m in Z2[x]. Example:

Example (continue): The elements of Z2[x]/(x4+x+1) :

GF(2m) in vector form Rewrite am-1xm-1+ am-2xm-2+…+ a0x0 in vector form (am-1 am-2 …a0) Example: As previous example, g=x is a generator.

[7] Elliptic Curves over GF(2m) Over GF(2m), elliptic curves can be written in the form Points on elliptic curve E/GF(2m)

Example: We can find that

Group operation + The point of infinity, O, will be the identity element Given where

Check –P is on curve

Slope for P = Q

Calculate P+Q

Example:

Example (continue):