Elliptic Curve Cryptography

Celia LiComputer Science and Engineering

November 10, 2005

2

ContentIntroduction of Elliptic Curve

Theory Elliptic Curve Diffie-Helman

ProtocolElliptic Curve Digital Signature

AuthenticationECC Security Analysis

3

What is Elliptic Curve Cryptography (ECC) ?

A public key encryption technique based on elliptic curve theory that can be used to create faster, smaller, and more efficient cryptographic keys

4

Elliptic Curve Over Real Numbers

Set of Points (x, y): y2 = x3 + ax + b where x, y, a and b are real

numbers. Includes all points (x, y) + a special point O, called

the point at infinity Point O does not satisfy

elliptic curve equation, but is needed for addition operation

5

Elliptic Curve Addition

Adding distinct points P and Q P=(xP, yP), Q=(xQ, yQ) are not negative of each other P + Q = R where s= (yP-yQ)/ (xP-xQ) xR = s2-xP-xQ

yR = -yP+s (xP-xR) s is the slope of the line through P and Q Example: P(-2.35, -1.86), Q(-0.1, 0.836) –R(3.89, 5.62), R(3.89, -5.62) P+Q=R=(3.89, -5.62)

P+Q=R

6

Elliptic Curve Addition

Adding Points P and -P Elliptic curve group includes the point at infinity O. P+(-P)=O P+O=P All elliptic curves have the point at infinity O

P+(-P)=O

7

Elliptic Curve Addition

Doubling the Point P if yP0 P=(xP, yP), yP0 P+P=2P=R s= (3xP

2 +a)/ (2yP) xR = s2-2xP

yR = -yP+s (xP-xR) Example: P(2, 2.65), –R(-1.11, -2.64), R(-1.11, 2.64) 2P=R=(-1.11, -2.64)

P+P=2P=R

8

Elliptic Curve Addition

Doubling the Point P if yP=0 P+P=2P=O 3P= 2P+P=O+P=P 4P= 3P+P=P+P=O 5P=P, 6P=O, 7P=P, etc

2P=O

(1.1, 0)

9

Elliptic Curve Over Finite Field Fz

Major Difference between Elliptic Curve Over Fz and Over Real Numbers

Elliptic curve over Fz has a finite number of points Unlike elliptic curve over real numbers, computations over Fz involve no round off error Computations are performed by modulo z

10

Set of points (x, y) satisfy y2 = x3 + ax + b mod z, where z is a prime number>3, a, b, x, y Fz

Adding Distinct Points P and Q P=(xp, yp) , -P=(xp, -ypmod z). P+Q=R where s= (yP-yQ)/ (xP-xQ) mod z xR = s2-xP-xQ mod z yR = -yP+s (xP-xR) mod z Doubling the Point P if yp 0 2P=R where s= (3xP

2 +a)/ (2yP) mod z xR = s2-2xP mod z yR = -yP+s (xP-xR) mod z

Elliptic Curve Over Finite Field Fz

11

Conclude Elliptic Curve Theory

Crucial Property of an Elliptic Curve

Define a rule for “adding” two points which are on the elliptic curve, to obtain a 3rd point which is also on the elliptic curve

Include a special point O, which does not satisfy the elliptic curve equation

Order of a Point Order of a point P on the elliptic

curve is the smallest integer r such that r*P=O

12

Elliptic Curve Discrete Logarithm Problem (ECDLP)

Public-key cryptography systems use hard-to-solve problems as the basis of the algorithm

Prime factorization is a hard problem used by RSA

ECDLP is a “hard” problem used by ECC Given two points Q & G on elliptic curve, such that Q = d*G Can we easily find integer d? Q is public key, d is private key Relatively easy to perform, but extremely

difficult to reverse

13

Elliptic Curve Diffie-Helman Protocol

Generates dAlice

Computes QAlice=dAlice *G

Generates dBob

Computes QBob=dBob *G

Publish Curve Point QAlice

Publish QBob

Computes P1=dAlice*QBobComputes P2=dBob * QAliceUse this computed

point P1 or P2 as the shared secret key

Message

P1=P2=dAlice* dBob* G

Given a curve point G and the result of d*G, it is difficult to compute d.

Q: public keyd: private keyG: a fixed point on elliptic curve

=dBob * (dAlice *G)=dAlice*(dBob*G)

= =

shared secret key

shared secret key

14

Elliptic Curve Digital Signature Authentication

Sends message m

and her signature

(r,s) r=0?

Select a random number k[1,n-1]Compute point P=k *G=(x,y)

Compute r=x mod n

e=SHA-1(m)

Compute s=k-1(e+dAlice*r) mod n

s=0?

No

Yes

Yes

Verify r and s are integers in the range [1, n-1]

e=SHA-1(m)

Compute w=s-1 mod n

Compute u1=e*w and u2=r*w

Point X=(x1, y1)=u1*G+u2*QAlice

Signature of m is the pair (r,s)

Yes

No

Reject

Accept Alice’s signature if v=r

Compute v=x1 mod n

X=O?

QAlice: public keydAlice: private key

G: a point on elliptic curve n: order of point G, n*G=O

(k*x)mod n=1 x=k-1

(29*35)mod78=1

15

Security AnalysisRSA Key Size

Time to Break Key

(MIPS Years)

ECC Key Size for

Equivalent Security

RSA:ECC Key Size Ratio

512 104 106 5:1768 108 132 6:1

1,024 1011 160 7:12,048 1020 210 10:121,00

01078 600 35:1

ECC can offer same levels of security with small size keys comparable to RSA and other public key cryptography methods

Designed for devices with limited memory, bandwidth, computational power, e.g. smartcards and PDAs

16

Reference

Neal Koblitz, "Elliptic curve cryptosystems", Mathematics of Computation 48, 1987, pp203–209.

V. Miller, "Use of elliptic curves in cryptography", CRYPTO 85, 1985. Blake, Seroussi, Smart, "Elliptic Curves in Cryptography", Cambridge

University Press, 1999. Hankerson, Menezes, Vanstone, "Guide to Elliptic Curve

Cryptography", Springer-Verlag, 2004. L. Washington, "Elliptic Curves: Number Theory and Cryptography",

Chapman & Hall/CRC, 2003. B.Schneier. Applied Cryptography. John Wiley and Sons, second

edition, 1996 Julio Lopez and Ricardo Dahab, “An overview of elliptic curve

cryptography”, May 2000. V. Miller, “Uses of elliptic curves in cryptography”, Advances in

Cryptology - CRYPTO'85, LNCS 218, pp.417-426, 1986. Robert Milson, “Introduction to Public Key Cryptography and

Modular Arithmetic” William Stallings, Cryptography and Network Security-Principles and

Practice second edition, Prentice Hall publications. R. Schroppel, H. Orman, S. O’Malley and O. Spatscheck, “Fast key

exchange with elliptic key systems”, Advances in Cryptography, Proc. Crypto’95, LNCS 963, pp. 43-56, Springer-Verlag, 1995.

17

Thank You !