cryptography lecturenotes

8/16/2019 Cryptography LectureNotes

1/63

Elliptic Curve Cryptography


2/63

Cryptography

• The fundamental objective of cryptography

is to enable two people, usually referred to asAlice and Bob, to communicate over an

insecure channel in such a way that an

opponent, Oscar, cannot understand what is being said.


3/63

Elliptic Curve Crypto (ECC)

• “Elliptic curve” is not a cryptosystem

• Elliptic curves are a different way to do

the math in public key system

• Elliptic curve versions of DH, RSA, etc.

• Elliptic curves may be more efficient

– Fewer bits needed for same security

– But the operations are more complex


4/63

What is an Elliptic Curve?

• An elliptic curve E is the graph ofan equation of the form

y2 = x3 + ax + b

• Also includes a “point at infinity”

• What do elliptic curves look like?

• See the following!


5/63

Elliptic Curves

• Elliptic curves as algebraic/geometricentities have been studied extensively

for the past 150 years, and from these

studies has emerged a rich and deep

theory. Elliptic curve systems as applied

to cryptography were first proposed in

1985 independently by Neal Koblitz

from the University of Washington, and Victor Miller, who was then at IBM,

Yorktown Heights.


6/63

• Many cryptosystems often require the use ofalgebraic groups. Elliptic curves may be usedto form elliptic curve groups. A group is a set

of elements with custom-defined arithmeticoperations on those elements. For elliptic curvegroups, these specific operations are definedgeometrically. Introducing more stringent

properties to the elements of a group, such aslimiting the number of points on such a curve,creates an underlying field for an elliptic curvegroup. Elliptic curves are first examined overreal numbers in order to illustrate thegeometrical properties of elliptic curve groups.Thereafter, elliptic curves groups are examined

with the underlying fields of F p (where p is a prime) and F2m (a binary representation with2m elements).


7/63

Elliptic Curve Groups over Real

Numbers

• An elliptic curve over real numbers may be defined as theset of points (x,y) which satisfy an elliptic curve equation of the form:

• y2 = x3 + ax + b, where x, y, a and b are real numbers.

• Each choice of the numbers a and b yields a different ellipticcurve. For example, a = -4 and b = 0.67 gives the ellipticcurve with equation y2 = x3 - 4x + 0.67; the graph of thiscurve is shown below:

• If x3 + ax + b contains no repeated factors, or equivalently if 4a3 + 27b2 is not 0, then the elliptic curve y2 = x3 + a x + b

• can be used to form a group. An elliptic curve group over real numbers consists of the points on the correspondingelliptic curve, together with a special point O called the

point at infinity.


8/63

• P + Q = R is the additive property defined geometrically.


9/63

Elliptic Curve Addition: A

Geometric Approach

• Elliptic curve groups are additive groups;that is, their basic function is addition. Theaddition of two points in an elliptic curve isdefined geometrically.

The negative of a point P = (xP,yP) is itsreflection in the x-axis: the point -P is

(xP,-yP). Notice that for each point P on anelliptic curve, the point -P is also on the curve.


10/63

Adding distinct points P and Q

• Suppose that P and Q are two distinct points on an elliptic curve, and the P is

not -Q. To add the points P and Q, a line

is drawn through the two points. This

line will intersect the elliptic curve in

exactly one more point, call -R. The

point -R is reflected in the x-axis to the

point R. The law for addition in an

elliptic curve group is P + Q = R. For

example:


11/63


12/63

Adding the points P and -P

• The line through P and -P is a verticalline which does not intersect the ellipticcurve at a third point; thus the points Pand -P cannot be added as previously. It

is for this reason that the elliptic curvegroup includes the point at infinity O.By definition, P + (-P) = O. As a resultof this equation, P + O = P in the ellipticcurve group . O is called the additiveidentity of the elliptic curve group; allelliptic curves have an additive identity.


13/63


14/63

Doubling the point P

• To add a point P to itself, a tangent lineto the curve is drawn at the point P. If yPis not O, then the tangent line intersectsthe elliptic curve at exactly one other

point, -R. -R is reflected in the x-axis toR. This operation is called doubling the

point P; the law for doubling a point onan elliptic curve group is defined by:

P + P = 2P = R.


15/63

• The tangent from P is always vertical if yP = 0.


16/63

Doubling the point P if yP = 0

• If a point P is such that yP = 0, then the tangentline to the elliptic curve at P is vertical anddoes not intersect the elliptic curve at any other

point.

By definition, 2P = O for such a point P.

If one wanted to find 3P in this situation, one

can add 2P + P. This becomes P + O = P Thus3P = P.

3P = P, 4P = O, 5P = P, 6P = O, 7P = P, etc.


17/63


18/63

Elliptic Curve Addition: An

Algebraic Approach

• Although the previous geometric

descriptions of elliptic curves

provides an excellent method of

illustrating elliptic curve arithmetic,

it is not a practical way to

implement arithmetic computations.

Algebraic formulae are constructed to efficiently compute the geometric

arithmetic.


19/63


• When P = (xP, yP) and Q = (xQ, yQ) are notnegative of each other,

P + Q = R where

s = (yP - yQ) / (xP - xQ)

xR = s2 - xP - xQ and yR = -yP + s(xP - xR)

Note that s is the slope of the line through P

and Q.


20/63


• When yP is not 0,

2P = R where

s = (3xP2 + a) / (2yP )

xR = s2 - 2xP and yR = -yP + s(xP - xR)

Recall that a is one of the parameters

chosen with the elliptic curve and that sis the tangent on the point P.


21/63

Elliptic Curve Picture

• Consider elliptic curve

E: y2 = x3 - x + 1

• If P1 and P2 are on E, we can

define

P3 = P1 + P2

as shown in picture

• Addition is all we need

P1P2

P3

x

y


22/63

Points on Elliptic Curve

• Consider y2 = x3 + 2x + 3 (mod 5)

x = 0 y2 = 3 no solution (mod 5)

x = 1 y2 = 6 = 1 y = 1,4 (mod 5)

x = 2 y2 = 15 = 0 y = 0 (mod 5)

x = 3 y2 = 36 = 1 y = 1,4 (mod 5)

x = 4 y2

= 75 = 0 y = 0 (mod 5)• Then points on the elliptic curve are

(1,1) (1,4) (2,0) (3,1) (3,4) (4,0)

and the point at infinity:


23/63

Elliptic Curve Math

• Addition on: y2 = x3 + ax + b (mod p)

P1=(x1,y1), P2=(x2,y2)

P1 + P2 = P3 = (x3,y3) where

x3 = m2 - x1 - x2 (mod p)

y3 = m(x1 - x3) - y1 (mod p)

And m = (y2-y

1)(x

2-x

1)-1 mod p, if P

1P

2

m = (3x12+a)(2y1)

-1 mod p, if P1 = P2

Special cases: If m is infinite, P3 = , and

+ P = P for all P


24/63

Elliptic Curve Addition

• Consider y2 = x3 + 2x + 3 (mod 5). Points

on the curve are (1,1) (1,4) (2,0) (3,1)

(3,4) (4,0) and

• What is (1,4) + (3,1) = P3 = (x3,y3)?

m = (1-4)(3-1)-1 = -32-1

= 2(3) = 6 = 1 (mod 5)

x3 = 1 - 1 - 3 = 2 (mod 5)

y3 = 1(1-2) - 4 = 0 (mod 5)

• On this curve, (1,4) + (3,1) = (2,0)


25/63

ECC Diffie-Hellman

• Public: Elliptic curve and point (x, y) on curve• Secret: Alice’s A and Bob’s B

Alice, A Bob, B

A(x,y)

B(x,y)

• Alice computes A(B(x,y))• Bob computes B(A(x,y))

• These are the same since AB = BA


26/63

Elliptic Curve Deffie-Hellmen

(ECDH)

• Consistency: K=n AQ B=n A n B P=n BQ A

• ECDH is vulnerable to the man-in-the-middle attack


27/63

ECC Diffie-Hellman

• Public: Curve y2 = x3 + 7x + b (mod 37) and

point (2,5) b = 3

• Alice’s secret: A = 4• Bob’s secret: B = 7

• Alice sends Bob: 4(2,5) = (7,32)

• Bob sends Alice: 7(2,5) = (18,35)• Alice computes: 4(18,35) = (22,1)

• Bob computes: 7(7,32) = (22,1)


28/63


29/63

Elliptic Curve Groups over F pCalculations over the real numbers are slow and inaccurate

due to round-off error.

Cryptographic applications require fast and precisearithmetic; thus elliptic curve groups over the finite fields of F pand F2

m are used in practice.

Recall that the field F p uses the numbers from 0 to p - 1, and computations end by taking the remainder on division by p. For example, in F23 the field is composed of integers from 0 to 22,and any operation within this field will result in an integer also

between 0 and 22.

An elliptic curve with the underlying field of F p can formed bychoosing the variables a and b within the field of F p. Theelliptic curve includes all points (x, y) which satisfy the ellipticcurve equation modulo p (where x and y are numbers in F p).


30/63

• For example: y2 m o d p = x3 + ax + b mod p hasan underlying field of Fp if a and b are in Fp.

If x3 + ax + b contains no repeating factors (or,equivalently, if 4a3 + 27b2 mod p is not 0), thenthe elliptic curve can be used to form a group.An elliptic curve group over F

pconsists of the

points on the corresponding elliptic curve,together with a special point O called the pointat infinity. There are finitely many points onsuch an elliptic curve.


31/63

Example of an Elliptic Curve Group over F p

• As a very small example, consider an elliptic curve over thefield F23. With a = 1 and b = 0, the elliptic curve equation is

y2 = x3 + x. The point (9,5) satisfies this equation since:

y2 mod p = x3 + x mod p

25 mod 23 = 729 + 9 mod 23

25 mod 23 = 738 mod 23

2 = 2

The 23 points which satisfy this equation are:

(0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5)

(13,18) (15,3) (15,20) (16,8) (16,15) (17,10) (17,13) (18,10)

(18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17)

These points may be graphed as below:


32/63


33/63

• Note that there is two points for every x value.Even though the graph seems random, there is stillsymmetry about y = 11.5. Recall that elliptic

curves over real numbers, there exists a negative point for each point which is reflected through thex-axis. Over the field of F23, the negativecomponents in the y-values are taken modulo 23,resulting in a positive number as a difference from23. Here -P = (xP, (-yP mod 23))

• Note that these rules are exactly the same as thosefor elliptic curve groups over real numbers, with

the exception that computations are performed modulo p.


34/63

Arithmetic in an Elliptic Curve Group over F p

• There are several major differences between elliptic

curve groups over F p and over real numbers.• Elliptic curve groups over F p have a finite number of

points, which is a desirable property for cryptographic purposes. Since these curves consist of a few discrete points, it is not clear how to "connect the dots" to

make their graph look like a curve. It is not clear howgeometric relationships can be applied. As a result,the geometry used in elliptic curve groups over realnumbers cannot be used for elliptic curve groups over F p. However, the algebraic rules for the arithmetic can

be adapted for elliptic curves over F p. Unlike elliptic

curves over real numbers, computations over the field of F p involve no round off error - an essential propertyrequired for a cryptosystem.


35/63


• The negative of the point P = (xP, yP) is the point -P = (xP, -yPmod p). If P and Q are distinct points such that P is not -Q, then

P + Q = R where

s = (yP - yQ) / (xP - xQ) mod p

xR = s2 - xP - xQ mod p and yR = -yP + s(xP - xR) mod p

Note that s is the slope of the line through P and Q.


36/63


• Provided that yP is not 0,

2P = R where

s = (3xP2 + a) / (2yP ) mod p

xR = s2 - 2xP mod p and yR = -yP + s(xP - xR)mod p

Recall that a is one of the parameters chosenwith the elliptic curve and that s is the slope ofthe line through P and Q.


37/63

Elliptic Curve Groups over F2m• Elements of the field F2

m are m-bit strings. The rules for arithmetic in F2

m can be defined by either polynomial

representation or by optimal normal basis re presentation.Since F2

m operates on bit strings, computers can performarithmetic in this field very efficiently.

• An elliptic curve with the underlying field F2m is formed by

choosing the elements a and b within F2m (the only condition

is that b is not 0). As a result of the field F2m having acharacteristic 2, the elliptic curve equation is slightlyadjusted for binary representation:

y2 + xy = x3 + ax2 + b

The elliptic curve includes all points (x, y) which satisfy theelliptic curve equation over F2m (where x and y are elements of

F2m ). An elliptic curve group over F2

m consists of the points onthe corresponding elliptic curve, together with a point atinfinity, O. There are finitely many points on such an ellipticcurve.

http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math9http://www.certicom.com/index.php?action=ecc_tutorial,math9http://www.certicom.com/index.php?action=ecc_tutorial,math8http://www.certicom.com/index.php?action=ecc_tutorial,math9http://www.certicom.com/index.php?action=ecc_tutorial,math8


38/63

An Example of an Elliptic Curve Group

over F2m

• As a very small example, consider the field F24, defined by using polynomial

representation with the irreducible polynomial f(x) = x4 + x + 1.

The element g = (0010) is a generator for the field . The powers of g are:

g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) g4 = (0011) g5 = (0110)

g6 = (1100) g7 = (1011) g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110)

g12 = (1111) g13 = (1101) g14 = (1001) g15 = (0001)

In a true cryptographic application, the parameter m must be large enough to preclude theefficient generation of such a table otherwise the cryptosystem can be broken. In today's practice, m = 160 is a suitable choice. The table allows the use of generator notation (ge)rather than bit string notation, as used in the following example. Also, using generatornotation allows multiplication without reference to the irreducible polynomial

f(x) = x4 + x + 1.


39/63

• Consider the elliptic curve y2 + xy = x3 + g4x2 + 1. Here a =g4 and b = g0 =1. The point (g5, g3) satisfies this equationover F2

m :

y2 + xy = x3 + g4x2 + 1

(g3)2 + g5g3 = (g5)3 + g4g10 + 1

g6 + g8 = g15 + g14 + 1

(1100) + (0101) = (0001) + (1001) + (0001)

(1001) = (1001)

The fifteen points which satisfy this equation are:

(1, g13) (g3, g13) (g5, g11) (g6, g14) (g9, g13) (g10, g8) (g12, g12)

(1, g6) (g3, g8) (g5, g3) (g6, g8) (g9, g10) (g10, g) (g12, 0) (0, 1)

These points are graphed below:


40/63


41/63

Arithmetic in an Elliptic Curve

Group over F2m

• Elliptic curve groups over F2m have a

finite number of points, and their

arithmetic involves no round off error.

This combined with the binary nature of the field, F2

m arithmetic can be performed

very efficiently by a computer.

The following algebraic rules are applied for arithmetic over F2

m :


42/63


• The negative of the point P = (xP, yP) is the point -P =(xP, xP + yP). If P and Q are distinct points such that Pis not -Q, then

P + Q = R wheres = (yP - yQ) / (xP + xQ)

xR = s2 + s + xP + xQ + a and yR = s(xP + xR) + xR +yP

As with elliptic curve groups over real numbers, P + (-P)= O, the point at infinity. Furthermore, P + O = P for all

points P in the elliptic curve group.


43/63


• If xP = 0, then 2P = O

Provided that xP is not 0,

2P = R where

s = xP + yP / xP

xR = s2+ s + a and yR = xP2 + (s + 1) * xR

Recall that a is one of the parameters chosenwith the elliptic curve and that s is the slopeof the line through P and Q


44/63

Elliptic Curve groups and the

Discrete Logarithm Problem

• At the foundation of every cryptosystem is a hardmathematical problem that is computationally infeasibleto solve. The discrete logarithm problem is the basis forthe security of many cryptosystems including the Elliptic

Curve Cryptosystem. More specifically, the ECC reliesupon the difficulty of the Elliptic Curve DiscreteLogarithm Problem (ECDLP).

Recall that we examined two geometrically definedoperations over certain elliptic curve groups. These twooperations were point addition and point doubling. By

selecting a point in a elliptic curve group, one candouble it to obtain the point 2P. After that, one can addthe point P to the point 2P to obtain the point 3P. Thedetermination of a point nP in this manner is referred toas Scalar Multiplication of a point. The ECDLP is basedupon the intractability of scalar multiplication products.


45/63

Scalar Multiplication

• The following animation demonstrates scalar multiplication through the combination of pointdoubling and point addition.

• While it is customary to use additive notation to

describe an elliptic curve group (as has beendone previously in this classroom), some insightis provided by using multiplicative notation.Specifically, consider the operation called "scalar multiplication" under additive notation: that is,computing kP by adding together k copies of the

point P. Using multiplicative notation, thisoperation consists of multiplying together k copies of the point P, yielding the pointP*P*P*P*…*P = Pk.

Th Elli i C Di L i h


46/63

The Elliptic Curve Discrete Logarithm

Problem

• In the multiplicative group Z p*, the discrete logarithm problem is:given elements r and q of the group, and a prime p, find a number k such that r = qk mod p. If the elliptic curve groups is described usingmultiplicative notation, then the elliptic curve discrete logarithm problem is: given points P and Q in the group, find a number that Pk =Q; k is called the discrete logarithm of Q to the base P. When theelliptic curve group is described using additive notation, the elliptic

curve discrete logarithm problem is: given points P and Q in thegroup, find a number k such that Pk = Q

• Example:

In the elliptic curve group defined by

y2 = x3 + 9x + 17 over F23,

What is the discrete logarithm k of Q = (4,5) to the base P = (16,5)?


47/63

• One (naïve) way to find k is to computemultiples of P until Q is found. The first few

multiples of P are:

P = (16,5) 2P = (20,20) 3P = (14,14) 4P =(19,20) 5P = (13,10) 6P = (7,3) 7P = (8,7) 8P =(12,17) 9P = (4,5)

Since 9P = (4,5) = Q, the discrete logarithm of Q to the base P is k = 9.

In a real application, k would be large enoughsuch that it would be infeasible to determine k

in this manner.

A E l f th Elli ti C


48/63

An Example of the Elliptic Curve

Discrete Logarithm Problem

• What is the discrete

logarithm of Q(-0.35,2.39)

to the base P(-1.65,-2.79) in

the elliptic curve group y2 =

x

3

- 5x + 4 over realnumbers?


49/63

Diffie-Hellman


50/63

Diffie-Hellman

• Invented by Williamson (GCHQ) and,

independently, by D and H (Stanford)

• A “key exchange” algorithm

– Used to establish a shared symmetric key

• Not for encrypting or signing

• Security rests on difficulty of discrete log

problem: given g, p, and gk mod p find k


51/63

Diffie-Hellman

• Let p be prime, let g be a generator

– For any x {1,2,…,p-1} there is n s.t. x = gn mod p

• Alice selects secret value a• Bob selects secret value b

• Alice sends ga mod p to Bob

• Bob sends gb mod p to Alice

• Both compute shared secret gab mod p

• Shared secret can be used as symmetric key


52/63

Diffie-Hellman

• Suppose that Bob and Alice use gab mod p

as a symmetric key

• Trudy can see ga mod p and gb mod p

• Note ga gb mod p = ga+b mod p gabmod p

• If Trudy can find a or b, system is broken

• If Trudy can solve discrete log problem,then she can find a or b


53/63

Diffie-Hellman

• Public: g and p

• Secret: Alice’s exponent a, Bob’s exponent b

Alice, a Bob, b

ga mod p

gb mod p

• Alice computes (gb)a = gba = gab mod p• Bob computes (ga)b = gab mod p

• Could use K = gab mod p as symmetric key


54/63

Diffie-Hellman

• Subject to man-in-the-middle (MiM) attack

Alice, a Bob, b

ga mod p

gb mod p

Trudy, t

gt mod p

gt mod p

• Trudy shares secret gat mod p with Alice• Trudy shares secret gbt mod p with Bob• Alice and Bob don’t know Trudy exists!


55/63

Diffie-Hellman

• How to prevent MiM attack?

– Encrypt DH exchange with symmetric key

– Encrypt DH exchange with public key – Sign DH values with private key

– Other?

• You MUST be aware of MiM attack onDiffie-Hellman


56/63

Public-key encryption

• Key generation algorithm: randomized algorithm that outputs

(pk, sk)

• Encryption algorithm: – Takes a public key and a message (plaintext), and outputs a

ciphertext; c E pk (m)

• Decryption algorithm:

– Takes a private key and a ciphertext, and outputs a message(or perhaps an error); m = Dsk (c)

• Correctness: for all (pk, sk), Dsk (E pk (m)) = m


57/63

El Gamal encryption

p, g

hA = gx mod p

hB = gy mod p

K AB = (hB)x K BA = (hA)

y

p, g, hA = gx

Receiver Sender

c = (K BA. m) mod p

hB, c


58/63

• Alice signs a message M to Bob by computing – the hash m = H(M), 0


59/63

use field GF(19) q 19 and a 10

• Alice computes her key:

A chooses xA=16 & computes yA=1016mod 19 = 4

• Alice signs message with hash m=14 as (3,4):

– choosing random K=5 which has gcd(18,5)=1

– computing S1 = 105mod 19 = 3

– finding K-1 mod (q-1) = 5-1 mod 18 = 11 – computing S2 = 11(14-16.3) mod 18 = 4

• any user B can verify the signature by computing

–

V1 = 10

14

mod 19 = 16– V2 = 4

3.34 = 5184 = 16 mod 19

– since 16 = 16 signature is valid

Elliptic Curve Digital Signature Algorithm


60/63

p g g g

(ECDSA)


61/63

RSA background

• N=pq, p and q distinct, odd primes

• (N) = (p-1)(q-1)

– Easy to compute (N) given the factorization of N – Hard to compute (N) without the factorization of N

• Fact: for all x Z N*, it holds that x(N) = 1 mod N

• If ed=1 mod (N), then for all x it holds that

(xe

)d

= x mod Ni.e., this is a way to compute eth roots


62/63

RSA key generation

• Generate random p, q of sufficient length

• Compute N=pq and (N) = (p-1)(q-1)

• Compute e and d such that ed = 1 mod (N) – e must be relatively prime to (N)

• Public key = (N, e); private key = (N, d)

• To encrypt a message m Z N*, compute

c = me

mod N• To decrypt a ciphertext c, compute m = cd mod N


63/63

Hardness of computing eth roots?

• The RSA problem:

– Given N, e, and c, compute c1/e mod N

• If factoring is easy, then the RSA problem is

easy• We know of no other way to solve the RSA

problem besides factoring N

– But we do not know how to prove that the

RSA problem is as hard as factoring• The upshot: we believe factoring is hard, and

we believe the RSA problem is hard

cryptography lecturenotes

Documents