1. Introduction to Elliptic Curve Cryptography
CSIS 5857: Encoding and Encryption

2. RSA vs. Elliptic Curve RSA requires very large key size
Recommended minimum: 1024 bits (as opposed to for AES)
Speed of RSA proportional to key size
Fast modular exponentiation
Possible alternative: Elliptic Curve Cryptography
Not directly related to ellipses (special case)
160 bit ECC key equivalent to 1024 bit RSA key
Based on faster operations

3. Elliptic Curve Mathematics
General mathematical form (Weierstraus equation): y2 = x3 + ax + b For some a, b (curve parameters)

4. Elliptic Curve Encryption
Encryption: Transforming points on curve (P, KPU) into other point on same curve (C)
Main idea (Abelian group): Need a definition of “+” so that “sum” of two points on a curve is also on the same curve R = P + Q where P = (xP, yP) Q = (xQ, yQ) R = (xR, yR)

5. Elliptic Curve Addition Cases
Case 1: R based on line formed by P, Q (xP ≠ xQ, yP ≠ yQ)
Equations:
 = (yQ – yP) / (xQ – xP)
xR = 2 – xP – xQ
yR = (xP – xR) – yP

6. Elliptic Curve Addition Cases
Case 2: P = Q, R based on tangent to curve (xP = xQ, yP = yQ)
Equations:
xR = ((3xP2 + a) / 2yP)2 - 2xP
yR = ((3xP2 + a) / 2yP)2(xP – xR) – yP

7. Elliptic Curve Addition Cases
Case 3: P = -Q, line does not intercept curve (xP = xQ, yP ≠ yQ)
R = “0” (additive identity)
Point at infinity
0 = -0

8. Elliptic Curves over Zp
Encryption requires modular arithmetic
Must be difficult to recover original points from R.
Modular arithmetic prevents “working backward”, as in RSA
Define “curve” as Ep(a, b) where p is the modulus, a, b are the coefficients of y2 = x3 + ax + b
Looking for (x, y) such that y2 = (x3 + ax + b) mod p
Note: “points” on curve are integers

9. Finding Points on a Zp Curve
Example: Points on elliptic curve y2 = x3 + x + 1 over GF(13):
Must find integer values for x, y < 13 such that (y2) mod 13 = (x3 + x + 1) mod 13
x = 0: y2 mod 13 = 1 mod y = 1
y = 1, (-1 mod 13 = 12)
x = 1: y2 mod 13 = 3 mod 13
y =  (16 mod 13 = 3)
y = 4, 9

10. Finding Points on a Zp Curve
Note: Not all values of x have a corresponding y
x = 2: y2 mod 13 = 11 mod No solution for y (Can test all y < 13)
x = 3: y2 mod 13 = 31 mod 13 = No solution for y (Can test all y < 13)
x = 4: y2 mod 13 = 69 mod 13 = 4
y = 2
y = 2, 11

11. Finding Points on a Zp Curve
Points on elliptic curve y2 = x3 + x + 1 over GF(13):

12. Elliptic Curve Mathematics
Computing (xR, yR) = (xP, yP) + (xQ, yQ)
Necessary to turn 2 points corresponding to key, plaintext into point corresponding to ciphertext
Main ideas:
Addition/subtraction/multiplication in mod p
Division = multiplication by inverse mod p

13. Example: (4, 2) + (10, 6) on E13(1, 1)
step 1: compute  = (yQ – yP) / (xQ – xP)
 = (6 – 2) x (10 – 4)-1 mod 13
= 4 x 6-1 mod mod 13 = 11
= 4 x 11 mod 13 = 5
step 2: compute xR =  2 – xP – xQ
xR = 25 – 4 – 10 mod 13 = 11
step 3: compute yR = (xP – xR) – yP
yR = 5 x (4 – 11) – 2 mod 13 = 2
(4, 2) + (10, 6) = (11, 2) note: also on curve!

14. Multiplication on an Elliptic Curve
Multiplication = addition multiple times
Necessary for some forms of elliptic curve cryptography
Must use formula where P = Q for first addition
Example: 3 x (1, 4) on E13(1, 1)
3 x (1, 4) = ((1, 4) + (1, 4)) + (1, 4)
= (8, 1) + (1, 4)
= (1, 9)

15. Elliptic Curve Encryption
Generally based on using elliptic curves in place of exponentiation in existing public key algorithm
Examples:
Elliptic Diffie-Hellman
Elliptic ElGamal

16. Elliptic Curve Diffie-Hellman
Alice and Bob agree on global parameters:
Ep(a, b): Elliptic curve mod P (prime) with parameters a and b
G : “Generator” point on that elliptic curve
Example: P = Ep(0, -4) the curve y2 = x G = (2, 2)

17. Elliptic Curve Diffie-Hellman
Alice and Bob select private nA and nB
They each generate a public PA and PB as PA = nA x G and PB = nB x G
They exchange these values
Example: nA = PA = 121 x (2, 2) = (115, 48) nB = PB = 203 x (2, 2) = (130, 203)
(115, 48)
(130, 203)

18. Elliptic Curve Diffie-Hellman
Alice and Bob generate the same key k
k = PB x nA = PA x nB
Proof: PB x nA = G x nB x nA PA x nB = G x nA x nB
Example: 121 x (130, 203) = 203 x (115, 48) = (161, 69)

19. Elliptic Curve ElGamal
Generating public and private keys:
Bob chooses an Ep(a, b) for an elliptic curve in Zp
Bob chooses a point (x1, y1) on that curve
Bob chooses a secret integer multiplier d < p
Bob computes a second point (x2, y2) on the curve as (x2, y2) = d  (x1, y1)
public key: the values p, a, and b that define the curve the two points (x1, y1) and (x2, y2)
private key: the multiplier d

20. Elliptic Curve ElGamal
Encryption:
Alice selects a point P on Ep(a, b) that corresponds to the plaintext message she wishes to send
Alice selects a random multiplier r
Alice creates the ciphertext as two points on the curve: C1 = r  (x1, y1) C2 = P + r  (x2, y2)

21. Elliptic Curve Encryption
Decryption:
Bob computes the plaintext as: P = C2 – (d  C1))
Why does this work?
P = C2 – (d  C1))
= (P + r  (x2, y2) ) – (d  r  (x1, y1) ))
= (P + d  r  (x1, y1) ) – (d  r  (x1, y1) ))
= P

22. Elliptic Curve ElGamal

23. Security and Speed Why is this secure? Why is this fast?
Same type of inverse modular problem (elliptic curve logarithm problem)
No simple way to determine d from (x1, y1) and (x2, y2) without trying all possible values
Computationally secure as long as p large enough to prevent this (2160 for example)
Why is this fast?
Only uses addition and multiplication – no exponents!

24. Elliptic Curves over GF(2n)
Represent points as polynomials {0, 1, g, g2, g3…} mod some irreducible polynomial in GF(2n)
Sort of like GF in AES
Added security
Slightly different equation used: y2 + xy = x3 + ax2 + b
Example: GF(23) using x3 + x + 1 as mod 1 g g2
g3 = g+1
g4 = g2+g
g5 = g2+g+1
g5 = g2+1
000
001
010
100
011
110
111
101

25. Elliptic Curves over GF(2n)
Points on elliptic curve y2 + xy = x3 + ax2 + b for a = g3 and b = 1