Introduction to Elliptic Curve Cryptography CSIS 5857: Encoding and Encryption

RSA vs. Elliptic Curve RSA requires very large key size Recommended minimum: 1024 bits (as opposed to 128-256 for AES) Speed of RSA proportional to key size Fast modular exponentiation Possible alternative: Elliptic Curve Cryptography Not directly related to ellipses (special case) 160 bit ECC key equivalent to 1024 bit RSA key Based on faster operations

Elliptic Curve Mathematics General mathematical form (Weierstraus equation): y2 = x3 + ax + b For some a, b (curve parameters)

Elliptic Curve Encryption Encryption: Transforming points on curve (P, KPU) into other point on same curve (C) Main idea (Abelian group): Need a definition of “+” so that “sum” of two points on a curve is also on the same curve R = P + Q where P = (xP, yP) Q = (xQ, yQ) R = (xR, yR)

Elliptic Curve Addition Cases Case 1: R based on line formed by P, Q (xP ≠ xQ, yP ≠ yQ) Equations:  = (yQ – yP) / (xQ – xP) xR = 2 – xP – xQ yR = (xP – xR) – yP

Elliptic Curve Addition Cases Case 2: P = Q, R based on tangent to curve (xP = xQ, yP = yQ) Equations: xR = ((3xP2 + a) / 2yP)2 - 2xP yR = ((3xP2 + a) / 2yP)2(xP – xR) – yP

Elliptic Curve Addition Cases Case 3: P = -Q, line does not intercept curve (xP = xQ, yP ≠ yQ) R = “0” (additive identity) Point at infinity 0 = -0

Elliptic Curves over Zp Encryption requires modular arithmetic Must be difficult to recover original points from R. Modular arithmetic prevents “working backward”, as in RSA Define “curve” as Ep(a, b) where p is the modulus, a, b are the coefficients of y2 = x3 + ax + b Looking for (x, y) such that y2 = (x3 + ax + b) mod p Note: “points” on curve are integers

Finding Points on a Zp Curve Example: Points on elliptic curve y2 = x3 + x + 1 over GF(13): Must find integer values for x, y < 13 such that (y2) mod 13 = (x3 + x + 1) mod 13 x = 0: y2 mod 13 = 1 mod 13 y = 1 y = 1, 12 (-1 mod 13 = 12) x = 1: y2 mod 13 = 3 mod 13 y = 4 (16 mod 13 = 3) y = 4, 9

Finding Points on a Zp Curve Note: Not all values of x have a corresponding y x = 2: y2 mod 13 = 11 mod 13 No solution for y (Can test all y < 13) x = 3: y2 mod 13 = 31 mod 13 = 5 No solution for y (Can test all y < 13) x = 4: y2 mod 13 = 69 mod 13 = 4 y = 2 y = 2, 11

Finding Points on a Zp Curve Points on elliptic curve y2 = x3 + x + 1 over GF(13):

Elliptic Curve Mathematics Computing (xR, yR) = (xP, yP) + (xQ, yQ) Necessary to turn 2 points corresponding to key, plaintext into point corresponding to ciphertext Main ideas: Addition/subtraction/multiplication in mod p Division = multiplication by inverse mod p

Example: (4, 2) + (10, 6) on E13(1, 1) step 1: compute  = (yQ – yP) / (xQ – xP)  = (6 – 2) x (10 – 4)-1 mod 13 = 4 x 6-1 mod 13 6-1 mod 13 = 11 = 4 x 11 mod 13 = 5 step 2: compute xR =  2 – xP – xQ xR = 25 – 4 – 10 mod 13 = 11 step 3: compute yR = (xP – xR) – yP yR = 5 x (4 – 11) – 2 mod 13 = 2 (4, 2) + (10, 6) = (11, 2) note: also on curve!

Multiplication on an Elliptic Curve Multiplication = addition multiple times Necessary for some forms of elliptic curve cryptography Must use formula where P = Q for first addition Example: 3 x (1, 4) on E13(1, 1) 3 x (1, 4) = ((1, 4) + (1, 4)) + (1, 4) = (8, 1) + (1, 4) = (1, 9)

Elliptic Curve Encryption Generally based on using elliptic curves in place of exponentiation in existing public key algorithm Examples: Elliptic Diffie-Hellman Elliptic ElGamal

Elliptic Curve Diffie-Hellman Alice and Bob agree on global parameters: Ep(a, b): Elliptic curve mod P (prime) with parameters a and b G : “Generator” point on that elliptic curve Example: P = 211 Ep(0, -4) the curve y2 = x3 - 4 G = (2, 2)

Elliptic Curve Diffie-Hellman Alice and Bob select private nA and nB They each generate a public PA and PB as PA = nA x G and PB = nB x G They exchange these values Example: nA = 121 PA = 121 x (2, 2) = (115, 48) nB = 203 PB = 203 x (2, 2) = (130, 203) (115, 48) (130, 203)

Elliptic Curve Diffie-Hellman Alice and Bob generate the same key k k = PB x nA = PA x nB Proof: PB x nA = G x nB x nA PA x nB = G x nA x nB Example: 121 x (130, 203) = 203 x (115, 48) = (161, 69)

Elliptic Curve ElGamal Generating public and private keys: Bob chooses an Ep(a, b) for an elliptic curve in Zp Bob chooses a point (x1, y1) on that curve Bob chooses a secret integer multiplier d < p Bob computes a second point (x2, y2) on the curve as (x2, y2) = d  (x1, y1) public key: the values p, a, and b that define the curve the two points (x1, y1) and (x2, y2) private key: the multiplier d

Elliptic Curve ElGamal Encryption: Alice selects a point P on Ep(a, b) that corresponds to the plaintext message she wishes to send Alice selects a random multiplier r Alice creates the ciphertext as two points on the curve: C1 = r  (x1, y1) C2 = P + r  (x2, y2)

Elliptic Curve Encryption Decryption: Bob computes the plaintext as: P = C2 – (d  C1)) Why does this work? P = C2 – (d  C1)) = (P + r  (x2, y2) ) – (d  r  (x1, y1) )) = (P + d  r  (x1, y1) ) – (d  r  (x1, y1) )) = P

Elliptic Curve ElGamal

Security and Speed Why is this secure? Why is this fast? Same type of inverse modular problem (elliptic curve logarithm problem) No simple way to determine d from (x1, y1) and (x2, y2) without trying all possible values Computationally secure as long as p large enough to prevent this (2160 for example) Why is this fast? Only uses addition and multiplication – no exponents!

Elliptic Curves over GF(2n) Represent points as polynomials {0, 1, g, g2, g3…} mod some irreducible polynomial in GF(2n) Sort of like GF in AES Added security Slightly different equation used: y2 + xy = x3 + ax2 + b Example: GF(23) using x3 + x + 1 as mod 1 g g2 g3 = g+1 g4 = g2+g g5 = g2+g+1 g5 = g2+1 000 001 010 100 011 110 111 101

Elliptic Curves over GF(2n) Points on elliptic curve y2 + xy = x3 + ax2 + b for a = g3 and b = 1