Elliptic Curve Cryptography Celia Li Computer Science and Engineering November 10, 2005

2 Content Introduction of Elliptic Curve Theory Elliptic Curve Diffie-Helman Protocol Elliptic Curve Digital Signature Authentication ECC Security Analysis

3 What is Elliptic Curve Cryptography (ECC) ? A public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys

4 Elliptic Curve Over Real Numbers Set of Points (x, y): y 2 = x 3 + ax + b where x, y, a and b are real numbers. Includes all points (x, y) + a special point O, called the point at infinity Point O does not satisfy elliptic curve equation, but is needed for addition operation

5 Elliptic Curve Addition Adding distinct points P and Q  P=(x P, y P ), Q=(x Q, y Q ) are not negative of each other  P + Q = R where s= (y P -y Q )/ (x P -x Q ) x R = s 2 -x P -x Q y R = -y P +s (x P -x R )  s is the slope of the line through P and Q  Example: P(-2.35, -1.86), Q(-0.1, 0.836) –R(3.89, 5.62), R(3.89, -5.62) P+Q=R=(3.89, -5.62) P+Q=R

6 Elliptic Curve Addition Adding Points P and -P  Elliptic curve group includes the point at infinity O. P+(-P)=O  P+O=P  All elliptic curves have the point at infinity O P+(-P)=O

7 Elliptic Curve Addition Doubling the Point P if y P  0  P=(x P, y P ), y P  0  P+P=2P=R s= (3x P 2 +a)/ (2y P ) x R = s 2 -2x P y R = -y P +s (x P -x R )  Example: P(2, 2.65), –R(-1.11, -2.64), R(-1.11, 2.64) 2P=R=(-1.11, -2.64) P+P=2P=R

8 Elliptic Curve Addition Doubling the Point P if y P =0  P+P=2P=O  3P= 2P+P=O+P=P  4P= 3P+P=P+P=O  5P=P, 6P=O, 7P=P, etc 2P=O (1.1, 0)

9 Elliptic Curve Over Finite Field F z Major Difference between Elliptic Curve Over F z and Over Real Numbers  Elliptic curve over F z has a finite number of points  Unlike elliptic curve over real numbers, computations over F z involve no round off error  Computations are performed by modulo z

10 Set of points (x, y) satisfy y 2 = x 3 + ax + b mod z, where z is a prime number>3, a, b, x, y  F z Adding Distinct Points P and Q  P=(x p, y p ), -P=(x p, -y p mod z).  P+Q=R where s= (y P -y Q )/ (x P -x Q ) mod z x R = s 2 -x P -x Q mod z y R = -y P +s (x P -x R ) mod z Doubling the Point P if y p  0  2P=R where s= (3x P 2 +a)/ (2y P ) mod z x R = s 2 -2x P mod z y R = -y P +s (x P -x R ) mod z Elliptic Curve Over Finite Field F z

11 Conclude Elliptic Curve Theory Crucial Property of an Elliptic Curve  Define a rule for “ adding ” two points which are on the elliptic curve, to obtain a 3 rd point which is also on the elliptic curve  Include a special point O, which does not satisfy the elliptic curve equation Order of a Point  Order of a point P on the elliptic curve is the smallest integer r such that r*P=O

12 Elliptic Curve Discrete Logarithm Problem (ECDLP) Public-key cryptography systems use hard-to- solve problems as the basis of the algorithm  Prime factorization is a hard problem used by RSA ECDLP is a “hard” problem used by ECC  Given two points Q & G on elliptic curve, such that Q = d*G  Can we easily find integer d? Q is public key, d is private key Relatively easy to perform, but extremely difficult to reverse

13 Elliptic Curve Diffie-Helman Protocol Generates d Alice Computes Q Alice =d Alice *G Generates d Bob Computes Q Bob =d Bob *G Publish Curve Point Q Alice Publish Q Bob Computes P 1 =d Alice *Q Bob Computes P 2 =d Bob * Q Alice Use this computed point P 1 or P 2 as the shared secret key Message P 1 =P 2 =d Alice * d Bob * G Given a curve point G and the result of d*G, it is difficult to compute d. Q: public key d: private key G: a fixed point on elliptic curve =d Bob * (d Alice *G) =d Alice *(d Bob *G) = = shared secret key

14 Elliptic Curve Digital Signature Authentication Sends message m and her signature (r,s) r=0? Select a random number k  [1,n-1] Compute point P=k *G=(x,y) Compute r=x mod n e=SHA-1(m) Compute s=k -1 (e+d Alice *r) mod n s=0? No Yes Verify r and s are integers in the range [1, n-1] e=SHA-1(m) Compute w=s -1 mod n Compute u 1 =e*w and u 2 =r*w Point X=(x 1, y 1 )=u 1 *G+u 2 *Q Alice Signature of m is the pair (r,s) Yes No Reject Accept Alice’s signature if v=r Compute v=x 1 mod n X=O? Q Alice : public key d Alice : private key G: a point on elliptic curve n: order of point G, n*G=O (k*x)mod n=1  x=k -1 (29*35)mod78= 1

15 Security Analysis RSA Key Size Time to Break Key (MIPS Years) ECC Key Size for Equivalent Security RSA:ECC Key Size Ratio : :1 1, :1 2, :1 21, :1 ECC can offer same levels of security with small size keys comparable to RSA and other public key cryptography methods Designed for devices with limited memory, bandwidth, computational power, e.g. smartcards and PDAs

16 Reference Neal Koblitz, "Elliptic curve cryptosystems", Mathematics of Computation 48, 1987, pp203 – 209. V. Miller, "Use of elliptic curves in cryptography", CRYPTO 85, Blake, Seroussi, Smart, "Elliptic Curves in Cryptography", Cambridge University Press, Hankerson, Menezes, Vanstone, "Guide to Elliptic Curve Cryptography", Springer- Verlag, L. Washington, "Elliptic Curves: Number Theory and Cryptography", Chapman & Hall/CRC, B.Schneier. Applied Cryptography. John Wiley and Sons, second edition, 1996 Julio Lopez and Ricardo Dahab, “ An overview of elliptic curve cryptography ”, May V. Miller, “ Uses of elliptic curves in cryptography ”, Advances in Cryptology - CRYPTO'85, LNCS 218, pp , Robert Milson, “ Introduction to Public Key Cryptography and Modular Arithmetic ” William Stallings, Cryptography and Network Security-Principles and Practice second edition, Prentice Hall publications. R. Schroppel, H. Orman, S. O ’ Malley and O. Spatscheck, “ Fast key exchange with elliptic key systems ”, Advances in Cryptography, Proc. Crypto ’ 95, LNCS 963, pp , Springer-Verlag, 1995.

17 Thank You !