Mathematics TowardsElliptic Curve Cryptography

byDr. R. Srinivasan

Dean R & D and Post Graduate StudiesRNS Institute of Technology, Bangalore

Comp Sc. Dept, Mysore 10.9..2011

Cryptography Definitions

1. Cryptography (or cryptology; from Greek κρυπτός, kryptos, "hidden, secret"; and γράφειν, graphein, "writing", or -λογία, -logia, "study", respectively)[1] is the practice and study of hiding information. Modern cryptography intersects the disciplines of mathematics, computer science, and electrical engineering.

2. Cryptography is the science of information security. The word is derived from the Greek kryptos, meaning hidden. Cryptography is closely related to the disciplines of cryptology and cryptanalysis    3. Discipline or techniques employed in protecting integrity or secrecy of electronic messages by converting them into unreadable (cipher text) form. Only the use of a secret key can convert the cipher text back into human readable (clear text) form. Cryptography software and/or hardware devices use mathematical formulas (algorithms) to change text from one form to another.

Source: Internet

Evolution of Cryptography

• The origin of cryptography is usually dated from about 2000 BC, with the Egyptian practice of hieroglyphics. These consisted of complex pictograms, the full meaning of which was only known to an elite few.

•The earliest known use of cryptography is found in non-standard hieroglyphs carved into monuments from the Old Kingdom of Egypt circa 1900 BC.

• Some clay tablets from Mesopotamia somewhat later are clearly meant to protect information — one dated near 1500 BC was found to encrypt a craftsman's recipe for pottery glaze, presumably commercially valuable.

• Hebrew scholars made use of simple monoalphabetic substitution ciphers such as the Atbash cipher beginning perhaps around 500 to 600 BC

• Then Romans, Julius Caesar (110BC to 44BC),…..

• It was probably religiously motivated textual analysis of the Qur’an which led to the invention of the frequency analysis technique for breaking monoalphabetic substitution ciphers, possibly by Al-Kindi, an Arab mathematician sometime around AD 800

Hieroglyphs

Hieroglyphs showing the words for Father, Mother, Son,

Egyptian Hieroglyphs for Kids!

Source: Internet

Zimmermann’s Telegram – January 16, 1917

The message came as a coded telegram dispatched by the Foreign Secretary of the German Empire, ARTHUR ZIMMERMANN, on January 16, 1917, to the German ambassador in Washington D.C., Johann von Bernstorff, at the height ofWorld War I. On January 19, Bernstorff, per Zimmermann's request, forwarded the telegram to the German ambassador in Mexico, Heinrich von Eckardt.

Source: Internet

Source: Internet

Hopes and Assumptions• Modern cryptographic algorithms – computational

hardness assumptions

- hoping such algorithms are hard to break by a HACKER

- but only computationally secure !!

• Information theoretically secure algorithms

– probably cannot be broken – like one time pad algorithm

- but more difficult to implement compared to the former one

• But if you do something good, there are others to use it for

criminal and bad purposes –

•Our example: Internet – it was not built with security in

mind – leads to hacking – hence we go to cryptography

Examples – bad and terrifying

1. Sony’s Play Station & Entertainment Networks: Repeatedly attacked

- More than 100 million user’s accounts compromised and the on-line gaming halted for several weeks!!

2. Internet marketing co.: Millions of customer’s e-mail addresses taken from 100 major corporations

3. South Korea’s agricultural co-operative: banking systems crashed for a week – kept 30 million customers from accessing their accounts

4. Hundai Capital: balckmailers broke into the financial systems – accessed personal details of 1.75 million customers and demanded US $460 000 – not to make the information public

5. Targetted attacks on security vendors also: a hacker fooled with SSL certificates to large websites like Google, Yahoo, Mozilla, and Skype

6. Cyber intrusions: government computer systems in Australia, Canada, France and United States

7. British Government: saw more than 650 attempted intrusions per day !!

8. US Government : received 15,000 hits per day – about one every 6 seconds!!

Source: IEEE Spectrum - July 2011

Case Study – an intelligent Hacker•A stranger on the US Army Computer: few months after the world trade centre attacks:

• “ I am Solo. Your computer security system is crap. I will continue and disrupt at the highest levels”.

• Solo scanned thousands of US government machines and discovered glaring security flaws

• From Feb 2001 to March 2002: Solo broke into hundreds of PC’s in the Army, Navy Air Force, NASA and US Department of Defense

• Surfed several months – copied files and passwords

• He brought down the US Army’s entire Washington D. C. networks – took about 2000 computers for three days

• He installed a software, “remote anywhere” in all machines and succeeded

• Alas!! Same software was discovered by Johnson Space Centre – place of purchase was traced and Solo was at last caught

• Solo’s real name is McKinnon from UK – is he intelligent ??

source: IEEE Spectrum July 2011, pp 27 - 31

Cryptography

RS-RNSIT 10

Two Categories:

1.Using Private Key (secret key)

2.Public Key – Each user has one pair of Public Key & Private Key

- both are good and being used

- but strength of Public Key Cryptography is

better

RS-RNSIT 11

Whitfield Diffie Martin Hellman

Pioneers of Public – Key Cryptography

The Algorithms

RS-RNSIT 12

• DES, RSA, AES, Diffie Hellman Key Exchange - but they were proved to be vulnerable for hacker’s attack - in each case the strength is proved to be very good when the Encryption/Decryption Keys are long.

* With advances in technology, processors of higher and higher speed are brought out frequently

* So hackers are able to identify the key or break the code with little effort.

Three Important Points to Note

13

1. Security and practicality of a given cryptosystem:

- depends upon the difference in difficulty between doing a given operation and its inverse.

y= f(x) x = f-1(y)

2. Because amount of efforts (difficulty) depends on functions of key length

3. With longer key lengths – even legitimate forward operations get harder, and require greater resources (chip space and/or processor time), though by a lesser degree than do the inverse operations.

Large Key Size

RS-RNSIT 14

Y = KX , Y- encrypted message of Plain Text Message “x” with Key K

X = K-1Y – Inverse operation must be difficult – larger the key more

difficult

April 10, 2023Practical Aspects of Modern

Cryptography

One-Way Functions

Two basic classes of one-way functions

• Mathematical– Multiplication: Z=X•Y– Modular Exponentiation: Z = YX mod N

April 10, 2023Practical Aspects of Modern

Cryptography

The Fundamental Equation

ZZ=Y=YXX mod N mod NWhen Z is unknown, it can be efficiently

computed.

April 10, 2023Practical Aspects of Modern

Cryptography

The Fundamental Equation

Z=YZ=YXX mod Nmod NWhen X is unknown, the problem is

known as the discrete logarithm and is generally believed to be hard to solve.

April 10, 2023Practical Aspects of Modern

Cryptography

The Fundamental Equation

Z=Z=YYXX mod Nmod NWhen Y is unknown, the problem is

known as discrete root finding and is generally believed to be hard to solve...

April 10, 2023Practical Aspects of Modern

Cryptography

Diffie-Hellman Key Exchange

Alice• Randomly select a

large integer a and send

• A = Ya mod N.• Compute the key • K = Ba mod N.

Bob• Randomly select a

large integer b and send

• B = Yb mod N.• Compute the key • K = Ab mod N.

Ba = Yba = Yab = Ab

April 10, 2023Practical Aspects of Modern

Cryptography

Diffie-Hellman Key Exchange

What does Eve, the hacker, see?

Y, Ya , Yb

… but the exchanged key is Yab.

Belief: Given Y, Ya , Yb it is difficult to compute Yab .

Contrast with discrete logarithm assumption: Given Y, Ya it is difficult to compute a .

Three Mathematical Problems

• The Three Secure Problems:1. Integer Factorization Problem – RSA algorithm – n = pq (p, q are prime nos.)2. Finite Field Discrete Logarithm Problem Primitive Root of a Prime No, “p”: If “a” is a primitive root of

“p”, then the nos.: a modp, a2 modp, a3 modp,….a (n-1) mod p are distinct and consist of integers 1 through p-1 example: 2 is a primitive root of 11Discrete Logarithm: for any integer “b” and a primitive root

“a” of prime no. p, b ai mod p where 0 i (p – 1)

“i” – discrete logarithm of “b” for the base a mod p

- represented as dloga,p

Being Used in: Diffie-Hellman Key Exchange, ElGamal encryption

RS-RNSIT 21

Three Mathematical Problems(contd.)

• 3. Elliptic Curve Discrete Logarithm Problem: (ECDL)

• To form a cryptographic system using elliptic curves we need to find a “hard problem”:

• Say Q = kP where Q, P Ep(a,b) and k < p• It is relatively easy to calculate Q given k and P

but is relatively hard to determine k given

Q and P

* This is called Discrete Logarithm Problem for Elliptic Curves (DLPEC)

RS-RNSIT 22

Problems with RSA & DH

• Majority of public-key crypto use either integer or polynomial arithmetic with very large numbers/polynomials

• Imposes a significant load in storing and processing keys and messages

• So the solution is “ Go to Elliptic Curve Cryptography”

- abbreviated as “ECC”

* ECC was introduced by Victor Miller and Neal Koblitz in 1985.

RS-RNSIT 23

Using Elliptic Curves In Cryptography

• The central part of any cryptosystem involving elliptic curves is the elliptic group.

• All public-key cryptosystems have some underlying mathematical operation.– RSA has exponentiation (raising the message

or ciphertext to the public or private values)– ECC has point multiplication (repeated

addition of two points).

RS-RNSIT 24

Diffie-Hellman Vs ECC

• Diffie-Hellman: Key exchange – multiplying pairs of non-zero integers modulo a prime no. “p”

• Keys generated by exponentiation over the group.

• Exponentiation defined by repeated multiplication

• Ex.: ak mod p = (a x ax a x….x a) mod p

• ECC: Operation over elliptic curves , by addition

• Multiplication through repeated addition

• Ex.: a x k = (a+a+a+………+a), k times over the EC

• Crypt analysis involves determining k given a and (a x k)

RS-RNSIT 25

Evolution of Elliptic curves- Cubic Equations

RS-RNSIT 26

• This is an equation of the form:• ay3 + by3 + cx2y + dxy2 + exy + fx + gy + h = 0 with rational coefficients

• Weirstraus has shown that using appropriate transformations changing the coefficients, it becomes Weirstrauss normal form as shown on next slide y2= x3 + ax2 +bx + cAssuming that roots are all distinct, it is called an Elliptic curve* A simple form: y2 = x3 + ax + b

If p≠2 Weierstrass equation can be simplified by transformation

to get the equation

for some constants d,e,f and if p≠3 by transformation

to get equation

mpZ

cbxaxxvyuxyy 232

2/)( vuxyy

fexdxxy 232

3/dxx

gfxxy 32

An elliptic curve over where p is a prime is the set of points (x,y) satisfying so-called Weierstrass equation

for some constants u,v,a,b,c together with a single element 0, called the point of infinity.

ELIPTIC CURVES - GENERALITY

Typical Elliptic Curves

• ECC- Variables and coefficients of the curves are restricted to elements of a finite field

• Two families of curves: -------- GF(p)1. Prime curves over Zp – uses cubic equation. p – a prime number - variables and coefficients – take values in the set of

integers from 0 through p-1 - calculations are performed “modulo p”2. Binary curve – Defined over GF(2m) - variables and coefficients –take values in GF(2m) - calculations are performed over GF(2m)

RS-RNSIT 28

Prime Elliptic Curves

• Please Note: Elliptic Curves are not ellipses!! An elliptic curve - an equation in two variables x & y, with coefficients

– : y2 = x3 + ax + b -- Eqn (1) – a Cubic curve where x,y,a,b are all real numbers– So to plot this: y = SQRT (x3 + ax + b )- For each X and for given values of a and b, y has

both positive and negative values- Set of points E(a,b) consisting of all points (x,y) that

satisfy Eqn. (1) together- Different values of (a,b) – different set E(a,b)

RS-RNSIT 29

Real Elliptic Curve Examples

RS-RNSIT 30

a = - 4 and b = 0.7

Three Mathematical Problems (contd)

• Example: (from Certicom): www.certicom.com

• Consider the equation: Under the group: E23 (9,17)

y2 mod 23 = (x3 + 9x+ 17)mod23• What is the discrete logarithm k of Q = (4,5) to the base

P = (16,5), where Q =kP?• Brute force Method: Compute multiples of P until Q is

found• P = (16,5), 2P = (20,20),………9P=(4,5) = Q• Therefore Discrete Logarithm k = 9• Practical Case: K would be too large to be found

RS-RNSIT 31

Example of an Elliptic Curve Group over Fp

• y2 = x3 + ax + b • Example: An elliptic curve over the field F23. With

a = 1 and b = 0, the elliptic curve equation is: y2 = x3 + x. The point (9,5) satisfies this equation since:

y2 mod p = (x3 + x)mod p

25 mod 23 = 729 + 9 mod 23

25 mod 23 = 738 mod 23

2 = 2

RS-RNSIT 32

Example of an Elliptic Curve Group over Fp (contd.)

• The 23 points which satisfy this equation are:

(0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5)

(13,18) (15,3) (15,20) (16,8) (16,15) (17,10) (17,13) (18,10)

(18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17)

These points may be graphed as shown on next slide

RS-RNSIT 33

Example of an Elliptic Curve Group over Fp (contd.)

RS-RNSIT 34

Elliptic Curve Groups over F2n (contd.)

• Elements of the field F2n are m-bit strings.

• An elliptic curve with the underlying field F2n is

formed by choosing the elements a and b within F2n

(the only condition is that b is not 0). • The elliptic curve equation is slightly adjusted for

binary representation:

• y2 + xy = x3 + ax2 + b

• An elliptic curve group over F2n consists of the

points on the corresponding elliptic curve, together with a point at infinity, O.

• There are finitely many points on such an elliptic curve.

RS-RNSIT 35

Finite fields of the form GF2n (contd.)

• Computational considerations:• A polynomial f(x) in GF(2n) is; f(X) = an-1xn-I + an-2xn-2 + ….a1x + a0

- Uniquely represented by its ‘n’ coefficients (an-1, an-2, ………a0). ai {0,1}

Thus every polynomial in GF(2n) can be represented by an n-bit number

the coefficients and variables are in finite field Addition: {an-1xn-I + an-2xn-2 + ….a1x + a0} +{bn-1xn-I + bn-2xn-2 + ….b1x +

b0}

= rn-1xn-I + rn-2xn-2 + ….r1x + r0 with ri [ai + bi] mod 2

RS-RNSIT 36

Finite fields of the form GF2n (contd.)

Field Reduction PolynomialsF2

113 f(x) = x113 + x9 + 1

F2131 f(x) = x131 + x8 + x3 + x2 + 1

F2163 f(x) = x163 + x7 + x6 + x3 +1

F2193 f(x) = x193 + x15 + 1

F2233 f(x) = x233 + x74 + 1

F2239 f(x) = x239 + x36 + 1

F2283 f(x) = x283 + x12 + x7 + x5 +1

F2409 f(x) = x409 + x87 + 1RS-RNSIT 37

n {113, 131, 163, 193, 233, 239, 283, 409, 571}

Ref: Secg-talk@lists.certicom.com

Elliptic Curve Groups over F2n

RS-RNSIT 38

Elements of the field F2n are n-bit strings.

The rules for arithmetic in F2n- defined by polynomial

representation

Example: Field F24

f(x) = x4 + x + 1 ; •generator g must satisfy the eqn. f(g) = g4 + g + 1 = 0;

i.e: g4 = g+1

The element g = (0010) is a generator for the field .

The powers of g are shown in next slide

In a true cryptographic application, the parameter n must be large enough to preclude the efficient generation of such a table otherwise the cryptosystem can be broken. In today's practice, n = 160 is a suitable choice.

Elliptic Curve Groups over F2n (contd.)

g0 = 0001 g4 = 0011 g8 = 0101 g12 = 1111

g1 = 0010 g5 = 0110 g9 = 1010 g13 = 1101

g2 = 0100 g6 = 1100 g10 = 0111 g14 = 1001

g3 = 1000 g7 = 1011 g11 = 1110 g15 = 0001

RS-RNSIT 39

Ex. g5 = (g4)(g) = (g+1)g = g2 + g = 0110

g6 = g4.g2 = (g+1)g2 = g3+g2 = 1100

Elliptic Curve Groups over F2n (contd.)

• Going back to the Elliptic curve:

y2 + xy = x3 + ax2 + b, setting a= g4 & b = 1

- one point that satisfies this equation is: (g5 , g3 ):

(g3)2 + (g5)(g3) = (g5)3 + (g4)(g5)2 + 1

g6 + g8 = g15 + g14 + 1 ,

from the tables on the previous slide,

1100 + 0101 = 0001 + 1001 + 0001

1001 = 1001

Other points that satisfy this equation are shown on

next slide

RS-RNSIT 40

Elliptic Curve Groups over F2n (contd.)

RS-RNSIT 41

Adding Points P + Q on E

P

Q

P+Q

R

- 42 -

Doubling a Point P on E

P

2*P

RTangent Line to E at P

- 43 -

Vertical Lines and an Extra Point at Infinity

Vertical lines have no third intersection point

Q

Add an extra point O “at infinity.”The point O lies on every vertical line.

O

P

Q = –P

- 44 -

Properties of “Addition” on E

Theorem: The addition law on E has the following properties:

a) P + O = O + P = P for all P E.

b) P + (–P) = O for all P E.

c) (P + Q) + R = P + (Q + R) for all P,Q,R E.

d) P + Q = Q + P for all P,Q E.

In other words, the addition law + makes the points of E into a commutative group.

All of the group properties are trivial to check except for the associative law (c). The associative law can be verified by a lengthy computation using explicit formulas, or by using more advanced algebraic or analytic methods.

- 45 -

A Numerical Example

Using the tangent line construction, we find that

2P = P + P = (-7/4, -27/8).

Using the secant line construction, we find that

3P = P + P + P = (553/121, -11950/1331)

Similarly, 4P = (45313/11664, 8655103/1259712).

As you can see, the coordinates become complicated.

E : Y2 = X3 – 5X + 8

The point P = (1,2) is on the curve E.

- 46 -

Algebraic Description of Addition

•Calculation of Addition over elliptic curves: For two distinct points

P = (xp, yp) and Q = (x Q, y Q) not negative to each other,

Slope of the line ‘l’ that joins them is : = (yQ – yP)/ (xQ – xp)

• We can express R = P + Q as follows:

xR = 2 – xp – xQ ------------- Eqn1

yR = - yp + (xp – xR) ----Eqn 2

• To add a point to itself, P + P = 2P = R, when yp 0, the expressions

are: xR = {[3x2p + a]/2yp}2 – 2 xp

yR = {[3x2p + a]/ 2yp}(xp – xR) - yp

Algebraic Description of Addition (contd.)

•Actually: = (yQ – yP)/ (xQ – xp) mod p if P Q and

= {[3x2p + a]/2yp} mod p if P = Q

•Example: P = (3, 10) and Q = (9,7) in E23(1,1) in y2 = x3 + x + 1

= (7-10/9-3)mod 23 = 11

xR = (112-3-9)mod23 = 17

yR = [11(3-17)-10]mod23 =20 So (P+Q) = (17,20)

•To find 2P = P + P:

= [{3(32) + 1}/2x10] mod23 = (1/4)mod23

Multiplicative inverse of 4 under Z23, = (1/4)mid23 = 6

[to check(6x4)mod23 = 1]

with xP= xQ = 3 and yP = 10 and substituting in Eqns 1 and 2 on last slide:

xR = (62 – 3 - 3)mod23 = 30mod23 = 7

yR = {6(3-7) – 10} mod23 = (-34) mod 23 = 12

the point corresponding to 2P = (7, 12)

ECC Diffie-Hellman• Can do key exchange analogous to D-H

• users select a suitable curve Ep(a,b)

• select base point G=(x1,y1) with large order n s.t. nG=O

• “order, n“ of a point G on an elliptic curve is the smallest +ve integer such that nG = O

• A & B select private keys nA<n, nB<n

• compute public keys: PA=nA×G, PB=nB×G

• compute shared key: K=nA×PB, K=nB×PA

– same since K=nA×nB×G

RS-RNSIT 49

ECC Encryption/Decryption

• Key Exchange between User A & B• must first encode any message M as a point on the

elliptic curve Pm

• select suitable curve & point G as in D-H

• A chooses private key nA<n

• and computes public key PA=nA×G

• to encrypt Pm to B : Cm={kG, Pm+kPB}, k random positive integer chosen by A

• decrypt Cm: B computes:

Pm+kPB–nB(kG) = Pm+k(nBG)–nB(kG) = Pm

RS-RNSIT 50

Mapping Messages into Points of Elliptic Mapping Messages into Points of Elliptic CurvesCurves

• Problem and basic ideaProblem and basic idea

•The problem of assigning messages to points on an elliptic curve is difficult because there are no polynomial-time algorithms to write down points of an arbitrary elliptic curve.

•Fortunately, there is a fast randomized algorithm, to assign points of any elliptic curve to messages, that can fail with probability that can be made arbitrarily small.

•Basic idea: Given an elliptic curve E (mod p), the problem is that not to every x there is an y such that (x,y) is a point of E.

• Given a message (number) m we therefore adjoin to m few bits at the end of m and adjust them until we get a number x such that x3 + ax + b is a square mod p.

Mapping Messages into Points of Elliptic Curves (2)Mapping Messages into Points of Elliptic Curves (2)

•Let K be a large integer such that a failure rate of 1/2K is acceptable when trying to encode a message by a point.

•For j from 0 to K verify whether for x = mK + j, x3 + ax + b (mod p) is a square (mod p) of an integer y.

•If such an j is found, encoding is done; if not the algorithm fails (with probability 1/2K because x3 + ax + b is a square approximately half of the time).

•In order to recover the message m from the point (x,y), we compute:

K

x

RS-RNSIT 53

Elliptic Curve Digital Signature Algorithm (ECDSA)

• Proposed by Abdalla , Bellare and Rogaway in 1999.

• Entity A has domain parameters D = (q, a, b, G, n, h) and

public key QA and private key dA. And entity B has authentic

copies of D and QA.

 To sign a message m, A does the following:

• Select a random integer k from [1,n-1].

• Compute kG = (x1,y1) and r = x1 mod n. If r = 0 then go to step 1.

• Compute k-1 mod n. Compute e = SHA-1(m).

• Compute s = k-1{e + dA . r} mod n.

If s = 0 then go to step 1.

A's signature for the message m is (r, s).

RS-RNSIT 54

Elliptic Curve Digital Signature Algorithm (ECDSA)

To verify A's signature (r, s) on m, B performs the following steps:

Verify that r and s are integers in [1,n-1].

• Compute e = SHA-1(m).

• Compute w = s-1 mod n.

• Compute u1 = ew mod n and u2 = rw mod n.

• Compute (x1,y1) = u1G+ u2 QA

• Compute v = x1 mod n.

• Accept the signature if and only if v = r.

SHA-1 denotes the 160-bit hash function

RS-RNSIT 55

Analogue of the DSA, proposed by Scott Vanstone in 1992.

To encrypt a message m for B, A performs :

• Select a random integer r from [1,n-1].

• Compute R = rG.

• Compute K = hrQB = (KX, KY). Check that K O:

• Compute k1|| k2 = KDF(KX).

• Compute c = (k1, m). Compute t = MAC(k2, c).

• Send (R; c; t) to B.

ENC a symmetric encryption scheme such as Triple-DES

MAC denotes a message authentication code (MAC) algorithm “RFC 2104” ; KDF a key derivation function

Elliptic Curve Authenticated Encryption Scheme (ECAES)

RS-RNSIT 56

Elliptic Curve Authenticated Encryption Scheme (ECAES)

To decrypt a ciphertext (R; c; t), B does:

• Perform a partial key validation on R.

• Compute K = hdBR = (KX, KY).. Check that that K O:

• Compute k1|| k2 = KDF(KX).

• Verify that t = MAC(k2, c).

• Compute m = ENC-1(k1, c).

Why use ECC?

• How do we analyze Cryptosystems?– How difficult is the underlying problem that it

is based upon• RSA – Integer Factorization• DH – Discrete Logarithms• ECC - Elliptic Curve Discrete Logarithm problem

– How do we measure difficulty?• We examine the algorithms used to solve these

problems

RS-RNSIT 57

Advantages of ECC

Hence, ECC offers equivalent security with much small key size.Practical advantages of ECC :1 Faster2 Low power consumption3 Low memory usage4 Low CPU utilization5 Benefits of over its competitors increases with increase in thesecurity needs.

59

Key References

• Papers:– J. Lopez and R. Dahab, “Fast Multiplication on Elliptic

Curves over GF(2m) without pre-computation”, CHES 1999

– K. Fong etal, “Field Inversion and Point Halving Revisited”, IEEE Trans on Comp, 2004

– G. Orlando and C. Paar, “A High Performance Reconfigurable Elliptic Curve Processor for GF(2m)”, CHES 2000

– N. A. Saqib etal, “A Parallel Architecture for Fast Computation of Elliptic Curve Scalar Multiplication over GF(2m)”, Elsevier Journal of Microprocessors and Microsystems, 2004

– Sabiel Mercurio etal, “ An FPGA Arithmetic Logic Unit for Computing Scalar Multiplication using the Half-and-Add Method”, IEEE ReConfig 2005

RS-RNSIT 60

Key References

• Books: – Elliptic Curves: Number Theory and

Cryptography, by Lawrence C. Washington – Guide to Elliptic Curve Cryptography, Alfred

J . Menezes – Guide to Elliptic Curve Cryptography, Darrel

R. Hankerson , A . Menezes and A. Vanstone– http://cr.yp.to/ecdh.html ( Daniel Bernstein)

RS-RNSIT 61

Additional References :

• An Overview of Elliptic Curve Cryptography by Julio Lopez and Richard Dahab May 2000. http://citeseer.ist.psu.edu/lop00overview.html

• M. Abdalla, M. Bellare and P. Rogaway. “DHAES: An encryption scheme on the Diffie- Hellman problem”, preprint 1999. http://www-cse.ucsd.edu/users/mihir /

• www.rsasecurity.com

• http://www.certicom.com/index.php?action=res,ecc_faq

• http://cgd.best.vwh.net/home/flt/flt03.htm

• http://mathworld.wolfram.com/EllipticCurve.html

RS-RNSIT 62

Thank You !