1. Ipsita Sahoo 10IT61B05 School of Information Technology IIT Kharagpur October 29, 2011 E LLIPTIC C URVES IN C RYPTOGRAPHY

2. O UTLINE  Introduction  Background of Public Key Cryptosystem  Definition of Elliptic Curves  Elliptic Curve on Finite Fields  What is Elliptic Curve Cryptography?  Elliptic Curve Key Pairs  ECDH  ECDSA  Comparable key sizes  Advantages and Disadvantages of ECC  Applications  Summary  References

3. I NTRODUCTION  The use of elliptic curves in cryptography was suggested by Neal Koblitz and Victor S. Miller in 1985.  The Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields.  Security of Public-key Cryptography depends on the difficulty of solving the hard problems defined in complexity Theory.

4.  For Elliptic curve based protocols, it is assumed that finding the discrete logarithm of an elliptic curve element is infeasible. The size of the elliptic curve determines the difficulty of the problem.  Over the past few years elliptic curve cryptography has been gaining popularity and being standardized around the world by agencies such as ANSI,IEEE and ISO.

5. B ACKGROUND OF P UBLIC K EY C RYPTOSYSTEM  The cryptosystems based on following mathematical problems are considered secure and efficient:  Integer Factorization Problem(IFP) Examples are RSA, Rabin-Williams  Discrete Logarithm Problem(DLP) DSA, Diffie-Hellman and MQV key agreement scheme, the ElGamal encryption and signature scheme etc.  Elliptic Curve Discrete Logarithm Problem(ECDLP) ECDSA, Elliptic Curve Diffie-Hellman & elliptic curve MQV key agreement schemes the ElGamal encryption and signature scheme etc.

6.  Since 1985, ECC has received intense security from cryptographers, mathematicians, and computer scientists around the world. On the other hand, the fact that no significant weaknesses have been found so as a result high confidence in the security of ECC.  ECC has become more attractive rather than RSA and DSA.

7. D EFINITION OF E LLIPTIC CURVES  The General equation for an elliptic curve as all points on the curve is: y 2 +b 1 xy+b 2 y=x 3 +a 1 x 2 +a 2 x+a 3  Elliptic curves over real number use a special case of elliptic curves of the form: y 2 = x 3 +ax+b where the coefficients ‘a’ and ‘b’ are elements of the field and satisfies equation 4a 3 +27b 2 ≠ 0, to represent nonsingular elliptic curve. Each value of ‘a’ and ‘b’ gives different elliptic curve.  An equation of this kind can be studied over various mathematical structures, such as a ring or a field.

8.  An elliptic curve over a field K is a nonsingular cubic curve in two variables, f(x,y) =0 with a rational point (which may be a point at infinity).  The field K is usually taken to be the complex numbers, reals, rationals, algebraic extensions of rationals, or a finite field.  One interesting property of set of solutions of elliptic curve is that it forms a group which enables us to do Cryptography. The public key is a point in curve and private key is a random number. The public key is obtained by multiplying the private key with the generator point G in the curve.  Elliptic curves groups for cryptography are examined with the underlying finite fields of GF(p) (where p>3 is a prime) and GF(2 n ) (a binary representation with 2 n elements).

9. G RAPHICAL R EPRESENTATION  Elliptic curve over a real field with a = -4 and b = 0 equation: y 2 = x 3 - 4x The equation is non-singular with three real roots.

10. P OINT ADDITION  Point addition is the addition of two points P and Q on an elliptic curve to obtain another point R on the same elliptic curve.

11. Where, and is the slop of the line and is given by following formula:

12. P OINT D OUBLING  Point doubling is the addition of a point P on the elliptic curve to itself to obtain another point R on the same elliptic curve.

13. P OINT M ULTIPLICATION  In point multiplication a point P on the elliptic curve is multiplied with a scalar k using elliptic curve equation to obtained another point Q on the same elliptic curve. i.e.Q = kP  Point multiplication is achieved by adding the point P to itself k times.  Point multiplication is also achieved by two basic elliptic curve operations 1. Point addition 2. point doubling  For example if k= 11 then kP=11.P=2(2(2P)+P)+P

14. T HE A BELIAN G ROUP  An abelian group using points on elliptic curve E can be defined with two points P, Q in E and the third point denoted by R (R=P+Q) on E, then following relations hold for all P, Q, R in E:  Closure: R = P+Q and R = P+P  Associativity: (P+Q)+R = P+(Q+R)  Commutativity: P+Q = Q+P  Existence of an identity element: P+O = O+P = P  Existence of inverses: there exists (-P) such that, -P+P = P+(-P) = O

15. E LLIPTIC C URVE ON F INITE F IELD  To make operations on elliptic curve accurate and more efficient, the elliptic curve cryptography is defined over two finite fields.  Prime field GF(p)  Binary field GF(2 n )  The field is chosen with finitely large number of points suited for cryptographic operations.

16. E LLIPTIC C URVE OVER GF(p)  Let GF(p) be a finite field, p > 3, and let a, b  GF(p) are constant such that 4a 3 + 27b 2 (mod p) ≠ 0 (mod p).  An elliptic curve, E p (a,b), is defined as the set of points (x,y)  GF(p) which satisfy the equation y 2  x 3 + ax + b (mod p) Here the elements of the finite field are integers between 0 and p-1. All the operations such as addition, subtraction, division, multiplication involves integers between 0 and p-1.  This finite group with a special point, O, called the point at infinity or Zero point.  The prime number p is chosen such that there is finitely large number of points on the elliptic curve to make the cryptosystem secure. Standards for Efficient Cryptography (SEC) specifies curves with p ranging between 112-512 bits.

17. A LGEBRAIC R ULES FOR P RIME F IELDS GF(p)  P and Q be two points on E p (a,b) and O is the point at infinity.  If P = (x 1,y 1 ) then -P = (x 1,-y 1 ) and P + (-P) = O. Here -y 1 is the additive inverse of y 1.  If P = (x 1,y 1 ) and Q = (x 2,y 2 ), and P and Q are not O. then P +Q = (x 3,y 3 ) where x 3 = 2 - x 1 - x 2 y 3 = (x 1 - x 3 ) - y 1 and = (y 2 -y 1 )/(x 2 -x 1 )if P ≠ Q = (3x 1 2 +a)/ 2y 1 if P = Q

18. E LLIPTIC C URVE OVER GF(2 n ) FOR SOME n  1  Elliptic curve E p (a,b) is defined to be the set of points (x,y)  GF(2 n ) which satisfy the equation y 2 + xy = x 3 + ax 2 + b where x, y  GF(2 n ) and b≠0, together with the point on the curve at infinity, O.  The points on an elliptic curve form an abelian group under a well defined group operation. The identity of the group operation is the point O.

19. A LGEBRAIC R ULES FOR B INARY FIELD GF(2 n )  The rules for adding points in GF(2 n ) is slightly different from the rules for GF(p).  In finding inverse If P=(x, y), then –P=(x, x + y)  If P = (x 1,y 1 ) and Q = (x 2,y 2 ), and P and Q are not O. then P +Q = (x 3,y 3 ), where x 3 = 2 + +x 1 +x 2 +a y 3 = (x 1 + x 3 ) + x 3 + y 1 and = (y 1 +y 2 )/(x 1 +x 2 )if P ≠ Q  If Q=P, then R=P+P (or R=2P) can be found as x 3 = 2 + + a y 3 = x 1 2 + ( +1) x 3 and = (x 1 y 1 + x 1 )/ y 1 if P = Q

20. W HAT I S E LLIPTIC C URVE C RYPTOGRAPHY (ECC)?  Elliptic curve cryptography (ECC])is a public-key cryptosystem just like RSA, Rabin, and ElGamal.  Every user has a public and a private key.  Public key is used for encryption/signature verification.  Private key is used for decryption/signature generation.  Elliptic curves are used as an extension to other current cryptosystems.  Elliptic Curve Diffie-Hellman Key Exchange  Elliptic Curve Digital Signature Algorithm

21. E LLIPTIC C URVE C RYPTOSYSTEM  Majority of public key cryptosystems (RSA,DH) use either integer or polynomial arithmetic with very large numbers/polynomials.  Imposes a significant load in storing and processing keys and messages.  The security of ECC depends on the difficulty of Elliptic Curve Discrete Logarithm problem. Let P and Q be two points on an elliptic curve such that kp=Q, where k is scalar. Given P and Q, it is computationally infeasible to obtain k, if k is sufficiently large. K is the discrete logarithm of Q to the base P.  All operations are performed over a Galois Field. So, results of kP seem rather “random”

22. ECC D OMAIN P ARAMETERS  ECC domain parameters[1] over GF(p), are a sextuple : T = (p, a, b, G, n, h)  p is the prime number defined for finite field GF(p).  a and b  GF(p) defining the curve y 2  x 3 + ax + b (mod p) for p > 3 y 2 + xy = x 3 + ax 2 + b for 2 n where n  1  G is the generator point or base point (x G,y G ) on E p (a,b)  n a prime which is the order of G (The order of a point P on an elliptic curve is the smallest positive integer r such that rP = O.)  An integer h which is the cofactor h = # E p (a,b) /n. where # E p (a,b) represents number of points on elliptic curve and is called the curve order.

23. E LLIPTIC C URVE K EY P AIR G ENERATION  An elliptic curve key pair(d, Q) associated with T consists of an elliptic curve secret key d, and an elliptic curve public key Q= (x Q, y Q ).  Elliptic curve key pairs should be generated [2] as follows: Input: Valid elliptic curve domain parameters T= ( p, a, b, G, n, h) Output: An elliptic curve key pair(d, Q) associated with T. Actions: Generate an elliptic curve key pair as follows: 1. Randomly select an integer d in the interval[1,n 1]. 2. Calculate Q= dG. 3. Output(d, Q).

24. E LLIPTIC C URVE P UBLIC K EY V ALIDATION Input: Valid elliptic curve domain parameters T= ( p, a, b, G, n, h) and an elliptic curve public key Q= (x Q, y Q ) associated with T. Output: An indication of whether the elliptic curve public key is valid or not — either ‘valid’ or ‘invalid’. Actions: Validate[2] the elliptic curve public key as follows: 1. Check that Q ≠ O. 2. If T represents elliptic curve domain parameters over GF(p), check that x Q and y Q are integers in the range[1, p-1], and that: y Q 2 x Q 3 + ax Q + b (mod p) 3. Check that nQ= O. 4. If any of the checks fail, output ‘invalid’, otherwise output ‘valid’.

25. ECDH – E LLIPTIC C URVE D IFFIE H ELLMAN  ECDH is a key agreement protocol that allows two parties to establish a shared secret key that can be used as a private key for encryption algorithms.  Both parties exchange some public information to each other, Using this public data and their own private data these parties calculates the shared secret key. Any third party, who doesn’t have access to the private details of each device, will not able to calculate the shared secret from the available public information.  For generating a shared secret between A and B using ECDH, both have to agree up on Elliptic Curve domain parameters.

26. ECDH CONTD …  Both end have a key pair consisting of a private key d (a randomly selected integer less than n) and a public key Q = d * G (G is the generator point).  Let (d A, Q A ) be the private and public key pair of A and (d B, Q B ) be the private and public key pair of B  The end A computers K = (x K, y K ) = d A * Q B  The end B computes L = (x L, y L ) = d B * Q A  Since d A Q B = d A d B G = d B Q A, therefore K = L and hence x K = x L  Hence the shared secret is x K  It is practically impossible to find the private key d A or d B form the public key K or L, its not possible to obtain the shared secret for a third party.

27. ECDSA - E LLIPTIC C URVE D IGITAL S IGNATURE A LGORITHM  Used for authenticating a device or message sent by the device  Signature Generation: To sign a message m, an entity A with domain parameters (p, E p (a,b), G, n) and associated key pair (x, Q) does the following: 1. Select an integer k such that 1 ≤ k ≤ n-1 2. Compute kQ = (x 1, y 1 ) 3. Compute r = x 1 (mod n). If r = 0 then go to step 1 4. Compute k -1 (mod n) 5. Compute SHA-1(m) and convert this string to an integer H(m) 6. Compute s = k -1 (H(m )+ xr ) (mod n). If s = 0, then go to step 1 7. A’s signature for the message m is (r, s)

28. ECDSA CONTD …  Signature Verification: To verify A’s signature (r, s) on m, B obtains an authentic copy of A’s domain parameter (p, E p (a,b), G, n) and associated public key Q. B then does the following: 1. Verify that r and s are integers in the interval [1, n-1] 2. Compute SHA-1(m) and convert this string to an integer H(m) 3. Compute w = s (mod n) 4. Compute u = H(m) w (mod n) and u = rw (mod n) 5. Compute X = (x2, y2) = u1G + u2Q 6. If X = O, then reject the signature. Otherwise, compute v = x (mod n) 7. Accept the signature if and only if v = r

29. C OMPARABLE K EY S IZES ( BASED ON RUNNING TIME )  ECC, DSA and RSA key length comparisons[5] done by Lopez and Dahab in May 2000.

30. RSA VS ECC Figure from [3]

31. A DVANTAGES OF ECC  Alternative hard problem  Speed  Data size  New types of schemes  Many options

32. D ISADVANTAGES OF ECC  Alternative hard problem  Curve generation  Many options

33. A PPLICATIONS OF ECC  Wireless communication devices  Smart cards  Web servers that need to handle many encryption sessions  Any application where security is needed but lacks the power, storage and computational power that is necessary for our current cryptosystems

34. S UMMARY OF E LLIPTIC C URVES IN C RYPTOGRAPHY  ECC offers an attractive alternative to other public-key cryptosystems  new hard problem (analogous to discrete log) Q=kP, where Q,P belong to a prime curve given k,P  “easy” to compute Q given Q,P  “hard” to find k, known as the elliptic curve logarithm problem (k must be large enough)  ECC security relies on elliptic curve logarithm problem  smaller key size compare with RSA etc.  for similar security ECC offers significant computational advantages

35. R EFERENCES  [1] http://www.secg.org/collateral/sec2_final.pdfhttp://www.secg.org/collateral/sec2_final.pdf  [2] http://www.secg.org/collateral/sec1_final.pdfhttp://www.secg.org/collateral/sec1_final.pdf  [3] “The Basics of ECC”, http://www.certicom.com  [4] http://mathworld.wolfram.com/EllipticCurve.htmlhttp://mathworld.wolfram.com/EllipticCurve.html  [5] An Overview of Elliptic Curve Cryptography by Julio Lopez and Richard Dahab May 2000. http://citeseer.ist.psu.edu/lop00overview.html http://citeseer.ist.psu.edu/lop00overview.html  [6] http://www.dkrypt.com/home/ecchttp://www.dkrypt.com/home/ecc  [7] Cryptography and Network Security principles and practices by William Stallings 4 th edition, Prentice-Hall of India

36. THANK YOU