Embed Size (px)
Citation preview
Lecture - 25th February 2002
Elliptic Curves 1
Joseph SpringDepartment of Computer Science
MSc - Distributed Systems and Security
Lecture - 25th February 2002
Areas for Discussion
• Motivation
• Elliptic Curves
• Elliptic Curves over Finite Fields
• Cryptography with Elliptic Curves
• Security of ECC
Lecture - 25th February 2002
Motivation
• Majority of products/standards using public keycryptography for encryption and digital signaturesuse RSA
• Bit length for secure RSA however, has increased inrecent years putting heavier processing loads onapplications that use RSA
• This has had subsequent consequences for e-commerce sites that carry out a lot of securetransactions
Lecture - 25th February 2002
Motivation
• Elliptic Curve Cryptography (ECC) is a recent
development in the field of public key systems - a
new challenger to RSA
• ECC already appears in Standardisation documents
– e.g. IEEE P1363 Standard for Public Key Cryptography
Lecture - 25th February 2002
Motivation
• Attraction– ECC appears to offer the same security for far smaller bit
size - thus reducing processing time
– Theory for ECC longstanding
• Concern lies in– ECC products are a recent innovation
– Sustained cryptanalytic interest looking for weaknesses inECC are recent
– Hence, confidence in ECC not yet as high as in RSA
Lecture - 25th February 2002
Diophantine Equations
• Elliptic curves belong to a class of equations knownas Diophantine Equations which are polynomialequations in one or more variables for which we seekeither integer or rational solutions
• For example:2 2 2
4 4 4
2 2
Pythagorean Triples Fermats equation of degree 4
1 Pells Equation (D being a non square integer)
X Y Zx y zx Dy
+ =+ =− =
Lecture - 25th February 2002
Elliptic Curves - Form of Equation• In general Elliptic Curves are of the form:
where a, b, c and d are real numbers satisfying somesimple conditions
• Included in the definition of any elliptic curve is anelement 0 referred to as the point at infinity or thezero point
• Such equations are said to be cubic or of order 3– the highest power they contain is a 3
2 3 2y axy by x cx dx e+ + = + + +
Lecture - 25th February 2002
Elliptic Curves - Form of EquationExamples
(see p194 in course text for graphs of examples)
Sketch the following elliptic curves:
2 3
2 3
1 2 1
y x xy x x
= −= + +
2 3
2 3
2 3 2
1 172 3 4 16
y xy x xy x x
= += += − +
Lecture - 25th February 2002
Elliptic Curves - Sketch/Graphs
Lecture - 25th February 2002
Elliptic Curves - Sketch/Graphs
Lecture - 25th February 2002
Elliptic Curves - Sketch/Graphs
Lecture - 25th February 2002
Elliptic Curves - Sketch/Graphs
Lecture - 25th February 2002
Elliptic Curves - Sketch/Graphs
Lecture - 25th February 2002
Elliptic Curves - Graphs
Note
• Elliptic curves are not Ellipses– the graph of an ellipse looks like a flattened circle
– equations for an elliptic curve are similar to those used tocalculate the circumference of an ellipse
Lecture - 25th February 2002
Elliptic Curves - AdditionA form of addition may be defined upon ‘the set ofpoints on an Elliptic curve E’ such that an AbelianGroup (E,+) results.
We begin with the following definition:
DefinitionIf three points lie on an elliptic curve E and at thesame time also lie on a straight line then their sum isDEFINED to be ‘0’ the point at infinity or zero point(see pp 193-195 of course text)
Lecture - 25th February 2002
Elliptic Curves - Addition• 0 is referred to as the additive identity. So
• 0 = - 0 and in particular P + 0 = P
for all points P lying on the Elliptic curve E• A vertical line meets the elliptic curve E at two
points P1 = (x, y) and P2 = (x, -y) with the same x co-ordinate. It also meets the curve at the infinity point0. Hence
• P1 + P2 + 0 = 0 and P1 = - P2
So the negative of a point is a point with the same xco-ordinate but negative y co-ordinate
Lecture - 25th February 2002
Elliptic Curves - Addition
• The addition of two points with different x co-ordinates may now be defined:
Case 1 Q !R straight line non-tangentialDraw a straight line between points Q and R. Thestraight line intersects the Elliptic Curve E again atthe point P1.
Case 2 Q !R straight line tangential at QIn this case we take P1 = Q
Case 3 Q !R straight line tangential at RIn this case we take P1 = R
Lecture - 25th February 2002
Elliptic Curves - Addition
In each of Cases 1, 2 and 3 it follows thatQ + R + P1 = 0
and hence thatQ + R = - P1
(See p 194 for the construction)
Note:To double a point Q we simply draw the tangent tothe Elliptic curve E at Q find the third point S. Then:
Q + Q = 2Q = -S
Lecture - 25th February 2002
Elliptic Curves - Addition
Now that we have a construction allowing us to addany two points on an Elliptic curve E we caninvestigate the– Associative and Commutative Properties of Addition
As mentioned earlier it transpires that the points onan Elliptic curve form an Abelian group - theproperties of which follow on the next slide:
Lecture - 25th February 2002
Elliptic Curves - Addition Properties
Let E be an Elliptic Curve; Q, -Q, R and S be points onE; and 0 be the point at infinity / zero point1 Identity Law,
Q + 0 = 0 + Q = Q (additive identity)2 Commutative Law
Q + R = R + Q3 Associative Law
Q + (R + S) = (Q + R) + S4 Inverse Law
Q + (-Q) = (-Q) + Q = 0 (additive inverse)
Lecture - 25th February 2002
Elliptic Curves - Question
For next Lecture:
1 Using the construction shown above and on pp 193 -195 of the course text book show that the points of anElliptic Curve form an Abelian Group
2 What is the significance of an Abelian Group inPublic Key Cryptography?
Lecture - 25th February 2002
Summary
• Motivation
• Elliptic Curves
• Elliptic Curves over Finite Fields
• Cryptography with Elliptic Curves
• Security of ECC
Lecture - 25th February 2002
References
• William Stallings: Cryptography and NetworkSecurity
• Jan C A Van Der Lubbe: Basic Methods ofCryptography
• Joseph H Silverman: A Friendly introduction toNumber Theory
• Douglas R Stinson: Cryptography - Theory andPractice
• N Koblitz: A Course in Number Theory andCryptography
