Elliptic Curve Cryptography

By

Krishan Swarup Gupta

Introduction

• ECC was introduced by Victor Miller and Neal Koblitz in 1985.

• For DSA, RSA we need larger key length.

• ECC requires significantly smaller key size with same level of security.

• Benefits of having smaller key sizes : faster computations, need

less storage space.

• ECC ideal for constrained environments : Pagers ; PDAs ;

Cellular Phones ; Smart Cards

Group

A group is an algebric system consisting of a set G together with a binary operation * defined on G satisfying the following axioms :1. Closure : for all x,y in G we have x * y G

2. Associativity : for all x,y and z in G we have (x * y) * z = x * (y * z)

3. Identity : there exists an e in G such that x * e = e * x = x for all x

4. Inverse : for all x in G there exists y in G such that x * y = y * x = e

In addition if for x, y in G we have x * y = y * x then we say that group G is abelian.

Finite Field

A finite field is an algebric system consisting of a set F together with a binary operations + and * defined on F satisfying the following axioms :

1. F is an abelian group with respect to +.

2. F \ {0} is an abelian group with respect to *.

3. For all x, y and z in F we have x * ( y + z) = (x * y) + (x * z)

(x + y) * z = (x * z) + (y * z)

The order of the finite field is the number of elements in the field.

Galois Field GF(p)

It is a finite field and it consists of a set of integers {0,1,2,3….p-1} where p is a prime number. Additionally it satisfies the following arithmetic operations :

1. Addition : if a, b GF(p), then a + b = r where r is the remainder of the division of a + b by p and 0<= r <= p-1. This operation is called addition modulo p.

2. Multiplication : if a, b GF(p), then a . b = s where s is the remainder of the division of a . b by p and 0<= s <= p-1. This operation is called multiplication modulo p.

Galois Field GF(2m)

It is a finite field and is called binary finite field. It is a vector space of dimension m over GF(2) i.e. there exists a set of m elements {m-1, …,1, 0} each i {0,1} in GF(2m) such that each a GF(2m)

a = m-1xm-1 + … + 1x + 0

Additionally it satisfies the following arithmetic operations :a = {am-1,..a1,a0} and b = {bm-1,..b1,b0} GF(2m)

• Addition : a + b = c = {cm-1,..c1,c0} where ci = (ai + bi) mod 2. c GF(2m)

• Multiplication : a . b = c = {cm-1,..c1,c0} where c is the remiander of the division of the polynomial a(x) . b(x) by an irreducible polynomial of degree m. c GF(2m)

Let GF(p) be a finite field, p > 3, and let a, b GF(p) are constant such that

4a3 + 27b2 0 (mod p).

An elliptic curve, E(a,b)(GF(p)), is defined as the set of points

(x,y) GF(p) * GF(p) which satisfy the equation

y2 x3 + ax + b (mod p)

together with a special point, O, called the point at infinity.

Elliptic Curve over GF(p)

P and Q be two points on E(a,b)(GF(p)) and O is the point at infinity.

• P+O = O+P = P

• If P = (x1,y1) then -P = (x1 ,-y1)

and P + (-P) = O.

• If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.

then P +Q = (x3 ,y3) where

  x3 = 2 - x1 - x2

y3 = (x1 - x3) - y1

and = (y2-y1)/(x2-x1) if P ≠ Q

= (3x12+a)/ 2y1 if P = Q

Elliptic Curve over GF(p)

• Elliptic curve E(a,b)(GF(2m)) is defined to be

the set of points (x,y) GF(2m) * GF(2m) which satisfy the

equation

y2 + xy = x3 + ax2 + b;

where a, b GF(2m) and b≠0,

together with the point on the curve at infinity, O.

• The points on an elliptic curve form an abelian group under a well defined group operation.

The identity of the group operation is the point O.

Elliptic Curve over GF(2m) for some m 1.

Elliptic Curve over GF(2m) for some m 1.

P and Q be two points on E(a,b)(GF(2m)) and O is the point at infinity.

• P+O = O+P = P

• If P = (x1,y1) then -P = (x1 ,-y1)

and P + (-P) = O.

• If P = (x1,y1) and Q = (x2,y2), and P and Q are not O.

then P +Q = (x3 ,y3),

where y3 = (x1 + x3) + x3 + y1

and = (y1+y2)/(x1+x2) if P ≠ Q

= (x1 y1 + x1)/ y1 if P = Q

ECC Domain Parameters

ECC domain parameters over GF(q), are a sextuple:

 T = (q, a, b, G, n, h)

• q = p or q = 2m

• a and b GF(q)

y2 x3 + ax + b (mod p) for q = p > 3

y2 + xy = x3 + ax2 + b for q = 2m 1

• a base point G = (xG,yG) on E(a,b)(GF(q)),

• a prime n which is the order of G

(The order of a point P on an elliptic curve is the smallest positive integer r such that rP = O.)

• h = #E/n. where #E represents number of points on elliptic curve and is called the curve order.

ECC Key Generation

A public key Q = (xQ,yQ) associated with a domain parameter

(q, a, b, G, n, h) is generated for an entitiy A using the following

procedure :

• Select a random or pseudo-random integer d in the interval [1,n-1].

• Compute Q = dG.

• A's public key is Q; A's private key is d.

ECC Key Validation

A public key Q = (xQ,yQ) associated with a domain parameter

(q, a, b, G, n, h) is validated for an entitiy A using the following

procedure :

• Check that Q O

• Check that xQ and yQ are properly represented elements of GF(q).

• Check that Q lies on the elliptic curve defned by a and b.

• Check that nQ = O.

Elliptic Curve Digital Signature Algorithm (ECDSA)

• Proposed by Abdalla, Bellare and Rogaway in 1999.

• Entity A has domain parameters D = (q, a, b, G, n, h) and

public key QA and private key dA. And entity B has authentic

copies of D and QA.

 To sign a message m, A does the following:

• Select a random integer k from [1,n-1].

• Compute kG = (x1,y1) and r = x1 mod n. If r = 0 then go to step 1.

• Compute k-1 mod n. Compute e = SHA-1(m).

• Compute s = k-1{e + dA . r} mod n.

If s = 0 then go to step 1.

A's signature for the message m is (r, s).

Elliptic Curve Digital Signature Algorithm (ECDSA)

To verify A's signature (r, s) on m, B performs the following steps:

Verify that r and s are integers in [1,n-1].

• Compute e = SHA-1(m).

• Compute w = s-1 mod n.

• Compute u1 = ew mod n and u2 = rw mod n.

• Compute (x1,y1) = u1G+ u2 QA

• Compute v = x1 mod n.

• Accept the signature if and only if v = r.

SHA-1 denotes the 160-bit hash function

Elliptic Curve Authenticated Encryption Scheme (ECAES)

Analogue of the DSA, proposed by Scott Vanstone in 1992.

To encrypt a message m for B, A performs:

• Select a random integer r from [1,n-1].

• Compute R = rG.

• Compute K = hrQB = (KX, KY). Check that K O:

• Compute k1|| k2 = KDF(KX).

• Compute c = (k1, m). Compute t = MAC(k2, c).

• Send (R; c; t) to B.

ENC a symmetric encryption scheme such as Triple-DES

MAC denotes a message authentication code (MAC) algorithm

“RFC 2104” ; KDF a key derivation function

Elliptic Curve Authenticated Encryption Scheme (ECAES)

To decrypt a ciphertext (R; c; t), B does:

• Perform a partial key validation on R.

• Compute K = hdBR = (KX, KY).. Check that that K O:

• Compute k1|| k2 = KDF(KX).

• Verify that t = MAC(k2, c).

• Compute m = ENC-1(k1, c).

ECC, DSA and RSA key length comparisons done by Lopez and

Dahab in May 2000.

Elliptic Curve Cryptography provides added security over DSA/RSA.

Reference :

• An Overview of Elliptic Curve Cryptography by Julio Lopez and Richard Dahab May 2000. http://citeseer.ist.psu.edu/lop00overview.html

• M. Abdalla, M. Bellare and P. Rogaway. “DHAES: An encryption scheme on the Diffie- Hellman problem”, preprint 1999. http://www-cse.ucsd.edu/users/mihir/

• www.rsasecurity.com

• http://www.certicom.com/index.php?action=res,ecc_faq

• http://cgd.best.vwh.net/home/flt/flt03.htm

• http://mathworld.wolfram.com/EllipticCurve.html