Elliptic Curve Elliptic Curve CryptographyCryptography

Shane AlmeidaShane Almeida

Saqib AwanSaqib Awan

Dan PalacioDan Palacio

OutlineOutline

BackgroundBackground

PerformancePerformance

ApplicationApplication

Elliptic Curve CryptographyElliptic Curve Cryptography

Relatively new approach to asymmetric Relatively new approach to asymmetric cryptographycryptography

Independently proposed by Neal Koblitz Independently proposed by Neal Koblitz and Victor Miller in 1985and Victor Miller in 1985

Asymmetric CryptosystemsAsymmetric Cryptosystems

Two mathematically related keysTwo mathematically related keys Public key for encryptionPublic key for encryption Private key for decryptionPrivate key for decryption

Private key can not be easily deduced Private key can not be easily deduced from the public keyfrom the public key Security depends on a mathematical function Security depends on a mathematical function

whose inverse is difficult to calculatewhose inverse is difficult to calculate

Asymmetric ApproachesAsymmetric Approaches

RSARSA Integer multiplication and factorizationInteger multiplication and factorization

Diffie-HellamnDiffie-Hellamn Discrete exponentiation and logarithmDiscrete exponentiation and logarithm

Elliptic Curve CryptographyElliptic Curve Cryptography Point multiplication and discrete logarithmPoint multiplication and discrete logarithm

Elliptic CurvesElliptic Curves

Elliptic curves are not Elliptic curves are not ellipses (the name ellipses (the name comes from elliptic comes from elliptic integrals)integrals)CircleCircle xx22 + y + y22 = r = r22

EllipsisEllipsis a·xa·x22 + b·y + b·y22 = c = c

Elliptic curveElliptic curve yy22 = x = x33 + a·x + b + a·x + b

Elliptic Curves Over Real NumbersElliptic Curves Over Real Numbers

An elliptic curve over reals is the set of points An elliptic curve over reals is the set of points (x,y) which satisfy the equation y(x,y) which satisfy the equation y22 = x = x33 + a·x + b, + a·x + b, where x, y, a, and b are real numberswhere x, y, a, and b are real numbersIf 4·aIf 4·a33 + 27·b + 27·b22 is not 0 (i.e. x is not 0 (i.e. x33 + a·x + b contains + a·x + b contains no repeated factors), then the elliptic curve can no repeated factors), then the elliptic curve can be used to form a groupbe used to form a groupAn elliptic curve group consists of the points on An elliptic curve group consists of the points on the curve and a special point Othe curve and a special point OElliptic curves are additive groupsElliptic curves are additive groups Addition can be defined geometrically or algebraicallyAddition can be defined geometrically or algebraically

Adding Points P and QAdding Points P and Q

Draw a line that intersects Draw a line that intersects distinct points P and Qdistinct points P and Q

The line will intersect a The line will intersect a third point -Rthird point -R

Draw a vertical line Draw a vertical line through point -Rthrough point -R

The line will intersect a The line will intersect a fourth point Rfourth point R

Point R is defined as the Point R is defined as the summation of points P summation of points P and Qand Q

R = P + QR = P + Q

Adding Points P and -PAdding Points P and -P

Draw a line that Draw a line that intersects points P intersects points P and -Pand -P The line will not The line will not

intersect a third pointintersect a third point

For this reason, For this reason, elliptic curves include elliptic curves include O, a point at infinityO, a point at infinity P + (-P) = OP + (-P) = O O is the additive O is the additive

identityidentity

Doubling the Point PDoubling the Point P

Draw a line tangent to Draw a line tangent to point Ppoint P

The line will intersect a The line will intersect a second point -Rsecond point -R

Draw a vertical line Draw a vertical line through point -Rthrough point -R

The line will intersect a The line will intersect a third point Rthird point R

Point R is defined as the Point R is defined as the summation of point P with summation of point P with itselfitself

R = 2·PR = 2·P

Doubling the Point P if yP = 0Doubling the Point P if yP = 0

Draw a line tangent to Draw a line tangent to point Ppoint P If yP = 0, the line will If yP = 0, the line will

not intersect a second not intersect a second pointpoint

2·P = O when yP = 02·P = O when yP = 0 3·P = P 3·P = P (2(2··P + P)P + P)

4·P = O4·P = O (2(2··P + 2P + 2··P)P)

5·P = P5·P = P (2 (2··P + 2P + 2··P + P)P + P)

Algebraic ApproachAlgebraic Approach

Point AdditionPoint Addition R = P + QR = P + Q s = (yP – yQ) / (xP – xQ)s = (yP – yQ) / (xP – xQ) xR = sxR = s22 – xP – xQ – xP – xQ yR = -yP + s(xP – xR) yR = -yP + s(xP – xR)

Point DoublingPoint Doubling R = 2·PR = 2·P s = (3·xPs = (3·xP22 + a) / (2·yP) + a) / (2·yP) xR = sxR = s22 – 2·xP – 2·xP yR = -yP + s(xP – xR) yR = -yP + s(xP – xR)

Cryptography with Elliptic CurvesCryptography with Elliptic Curves

Calculations with real numbers are slow Calculations with real numbers are slow and rounding causes inaccuracyand rounding causes inaccuracySpeed and accuracy are important for Speed and accuracy are important for cryptographycryptographyUse elliptic curve groups over the finite Use elliptic curve groups over the finite field Ffield Fpp **

Elliptic curves are formed by choosing a Elliptic curves are formed by choosing a and b within the field Fand b within the field Fpp yy22 mod p = x mod p = x33 + a·x + b mod p + a·x + b mod p

* can also use F2m, but I’m skipping it

Cryptography with Elliptic CurvesCryptography with Elliptic Curves

Because it’s a finite field, a finite number Because it’s a finite field, a finite number of points make up the curveof points make up the curve This means there is no true curve anymoreThis means there is no true curve anymore But also no more roundingBut also no more rounding

Geometric definitions of addition and Geometric definitions of addition and doubling don’t work on these curvesdoubling don’t work on these curves

Algebraic definitions still holdAlgebraic definitions still hold

The Discrete Logarithm The Discrete Logarithm ProblemProblem

The discrete logarithm problem for ECC is The discrete logarithm problem for ECC is the inverse of point multiplication the inverse of point multiplication

Point multiplication is simply calculating Point multiplication is simply calculating Q=kP, where k is an integer and P is a Q=kP, where k is an integer and P is a point on the curvepoint on the curve

Elliptic Curve Discrete LogarithmElliptic Curve Discrete Logarithm

Given points P and Q, find a number k Given points P and Q, find a number k such that k·P = Qsuch that k·P = Q P is the base point on a specific, published P is the base point on a specific, published

curvecurve Q is the public keyQ is the public key k is the private key (very large prime number)k is the private key (very large prime number)

With doubling, we can go from P to 2·PWith doubling, we can go from P to 2·P

With addition, we can go from 2·P to 3·PWith addition, we can go from 2·P to 3·P

The Discrete Logarithm The Discrete Logarithm ProblemProblem

Determining the point k·P in this way is Determining the point k·P in this way is referred to as the scalar multiplication of a referred to as the scalar multiplication of a pointpointScalar multiplication is intractableScalar multiplication is intractable Elliptic Curve Discrete Logarithm ProblemElliptic Curve Discrete Logarithm Problem k is the discrete logarithm of Q to the base Pk is the discrete logarithm of Q to the base P

Brute force attacks range up to 3x10Brute force attacks range up to 3x105757 operations by a stepping process operations by a stepping process Applies to NIST-defined P192 curveApplies to NIST-defined P192 curve

Attacking ECCAttacking ECC

ECC is not susceptible to index-calculus attacksECC is not susceptible to index-calculus attacks Index-calculus relies on group properties that ECC Index-calculus relies on group properties that ECC

groups do not havegroups do not have

Brute force does not fair well either as shownBrute force does not fair well either as shown

Best possible way is a ‘collision attack’ known as Best possible way is a ‘collision attack’ known as Pollard’s rho attackPollard’s rho attack As field size increases, the attack becomes harder at As field size increases, the attack becomes harder at

an exponential ratean exponential rate

Security PerformanceSecurity Performance

Implementation allows for a significant Implementation allows for a significant reduction in key sizereduction in key size ECC key of 163 bits is equivalent to RSA key ECC key of 163 bits is equivalent to RSA key

of 1024 bitsof 1024 bits ECC key of 256 bits is equivalent to RSA key ECC key of 256 bits is equivalent to RSA key

of 3072 bitsof 3072 bits

ECC’s main advantage: as key length ECC’s main advantage: as key length increases, so does the difficulty of the increases, so does the difficulty of the inversion processinversion process

Performance Analysis - SpeedPerformance Analysis - Speed

ECC performance is dependent on field ECC performance is dependent on field operationsoperations

Arithmetic involved in ECCArithmetic involved in ECC Algorithmic Level (addition and subtraction Algorithmic Level (addition and subtraction

chains)chains) Curve Arithmetic Level (selection of Curve Arithmetic Level (selection of

coordinate representation)coordinate representation) Field Arithmetic Level (basis selection, Field Arithmetic Level (basis selection,

multiplier and inverter structures)multiplier and inverter structures)

Performance Analysis - SpeedPerformance Analysis - Speed

How can ECC performance increase?How can ECC performance increase? Increase efficiency of finite field mathematicsIncrease efficiency of finite field mathematics

The performance of ECC relies heavily on the The performance of ECC relies heavily on the speed of the computations in the finite fieldspeed of the computations in the finite field

Use particular finite fields and elliptic curves Use particular finite fields and elliptic curves where applicablewhere applicable

Implementing the right field representationImplementing the right field representation

RepresentationsRepresentations

Types of representations for elements in a Types of representations for elements in a finite fieldfinite field Normal BasisNormal Basis

Takes the form {1, α, αTakes the form {1, α, α22,…, α,…, αn-1n-1}}

Type I and Type II representations optimized for NType I and Type II representations optimized for N Polynomial BasisPolynomial Basis

Takes the form {α, αTakes the form {α, α22, α, α2^22^2,…, α,…, α2^(n-1)2^(n-1)}}

αα is a root of an irreducible polynomial f(x) is a root of an irreducible polynomial f(x) that has a degree N in a fieldthat has a degree N in a field

Which is better?Which is better?

PB does inversion 10% fasterPB does inversion 10% fasterNB does scalar multiplication 12% fasterNB does scalar multiplication 12% fasterBoth perform basic addition and subtraction Both perform basic addition and subtraction efficientlyefficientlyPerformance depends on implementationPerformance depends on implementation Ex. ElGamel protocol - encryption using EC runs 22% Ex. ElGamel protocol - encryption using EC runs 22%

faster when combined with NB rather than PBfaster when combined with NB rather than PB Using other protocols may show different results as Using other protocols may show different results as

wellwell

Performance is also related to hardware designPerformance is also related to hardware design

Performance ComparisonPerformance Comparison

Key sizes for EC using PB are 155 and 183 Key sizes for EC using PB are 155 and 183 respectivelyrespectivelyKey sizes for EC using NB are 155 and 173 Key sizes for EC using NB are 155 and 173 respectivelyrespectively

Implementing Efficient Implementing Efficient ECC ForECC For

Smart CardsSmart Cards(ECDSA)(ECDSA)

Presented By: Saqib AwanPresented By: Saqib Awan

Elliptic Curve Cryptosystems (ECC) Elliptic Curve Cryptosystems (ECC)

Merits: Merits: A 160 bit ECC has roughly the same security A 160 bit ECC has roughly the same security

as 1024 bit RSA.as 1024 bit RSA. Limited memory and computational power.Limited memory and computational power.

Purpose:Purpose: Algorithms to achieve optimized Algorithms to achieve optimized

implementation of the ECDSA over the field implementation of the ECDSA over the field GF(p) on smart cards.GF(p) on smart cards.

Algorithms for modular reduction, modular Algorithms for modular reduction, modular inversion and scalar multiplication.inversion and scalar multiplication.

Discrete Logarithm ProblemDiscrete Logarithm Problem

Based on the difficulty of elliptic curve discrete Based on the difficulty of elliptic curve discrete logarithm problem (DLP).logarithm problem (DLP).DLP applies to mathematical structures called DLP applies to mathematical structures called groups.groups.For higher security the rate of increase key size For higher security the rate of increase key size is much slower for RSA key sizes.is much slower for RSA key sizes.Faster implementation using less bandwidth and Faster implementation using less bandwidth and power- crucial for smart cards.power- crucial for smart cards. IEEE Std 1363-2000, WAP (Wireless IEEE Std 1363-2000, WAP (Wireless Application Protocol), ANSI X9.62, ANSI X9.63 Application Protocol), ANSI X9.62, ANSI X9.63 and ISO CD 14888-3) employs ECC.and ISO CD 14888-3) employs ECC.

Elliptic curve over a Galois field Elliptic curve over a Galois field with p elementswith p elements

E : yE : y22 = x = x33 + + aax + x + bb (mod p) (mod p) Addition and doubling of points are the group Addition and doubling of points are the group operations along with the identity element.operations along with the identity element.Definition ECDLP:Definition ECDLP: Given the prime modulus p, the curve constants Given the prime modulus p, the curve constants aa and and bb and two points P and Q, find a scalar and two points P and Q, find a scalar kk such that Q such that Q = = kkPP

Efficient Field Arithmetic in crypto coprocessor.Efficient Field Arithmetic in crypto coprocessor.Effect of coordinate systems on speed of the Effect of coordinate systems on speed of the scalar multiplication operations.scalar multiplication operations.

Smart Card HardwareSmart Card Hardware

Motorola M-Smart JupiterTM smart card based on Java Motorola M-Smart JupiterTM smart card based on Java CardTM 2.1 technology and an ARM processor with a CardTM 2.1 technology and an ARM processor with a word size of 32 bits, 64KB of ROM,32KB of EEPROM, word size of 32 bits, 64KB of ROM,32KB of EEPROM, 3KB RAM and a modular arithmetic coprocessor (crypto 3KB RAM and a modular arithmetic coprocessor (crypto coprocessor).coprocessor).

ECDSA Signature GenerationECDSA Signature Generation

Signature generation for message M: Signature generation for message M: private key d, hash value h=Hash(M), private key d, hash value h=Hash(M), order l of base point P.order l of base point P.

ECDSA Signature VerificationECDSA Signature Verification

Signature verification for message M, Signature verification for message M, signature (r,s), hash h: base point P, signature (r,s), hash h: base point P, public key Q=dP, order l of base point Ppublic key Q=dP, order l of base point P

Modular arithmetic of GF(p)Modular arithmetic of GF(p)

Modular Addition and Subtraction.Modular Addition and Subtraction.Modular Reduction (multiplication) algorithms:Modular Reduction (multiplication) algorithms: Barrett reduction.Barrett reduction. Montgomery reduction.Montgomery reduction. NIST primes by Brown et al., very fast (6% and 33%) NIST primes by Brown et al., very fast (6% and 33%)

but specialized reduction algorithm.but specialized reduction algorithm. Pseudo-Mersenne prime.Pseudo-Mersenne prime.

Modular Inversion (Division)Modular Inversion (Division) Binary extended GCD (BEGCD) algorithmBinary extended GCD (BEGCD) algorithm Extended Euclidean algorithm (EEA)Extended Euclidean algorithm (EEA) Exponentiation method (Fermat’s little theorem)Exponentiation method (Fermat’s little theorem)

Scalar multiplicationScalar multiplication

Basic crypto operation of an ECC.Basic crypto operation of an ECC.

Series of point addition and doubling.Series of point addition and doubling.

Binary method due to no pre-computation Binary method due to no pre-computation phase .phase .

Faster processing when using signed Faster processing when using signed representation of the scalar value.representation of the scalar value.

Point coordinates and Scalar Point coordinates and Scalar Multiplication Multiplication

Addition and DoublingAddition and Doubling Affine - a point is represented as (xAffine - a point is represented as (xAA, y, yAA).).

Projective - (X, Y,Z) where xProjective - (X, Y,Z) where xAA = XZ = XZ−1−1 and y and yAA = =

Y ZY Z−1−1.. Jacobian, Modified Jacobian and Chudnovsky Jacobian, Modified Jacobian and Chudnovsky

Jacobian.Jacobian. Issue of Temporary variables required by Issue of Temporary variables required by

each algorithm.each algorithm. Mixed coordinate multiplication.Mixed coordinate multiplication.

Background ReferencesBackground References

Elliptic Curve Cryptography at the WikipediaElliptic Curve Cryptography at the Wikipedia http://en.wikipedia.org/wiki/Elliptic_curve_cryptographyhttp://en.wikipedia.org/wiki/Elliptic_curve_cryptography http://en.wikipedia.org/wiki/Elliptic_curveshttp://en.wikipedia.org/wiki/Elliptic_curves

Elliptic curve cryptography FAQElliptic curve cryptography FAQ by George Barwood by George Barwood http://www.cryptoman.com/elliptic.htmhttp://www.cryptoman.com/elliptic.htm

Elliptic Curve Cryptography according to Steven Elliptic Curve Cryptography according to Steven GalbraithGalbraith

http://www.isg.rhul.ac.uk/~sdg/ecc.htmlhttp://www.isg.rhul.ac.uk/~sdg/ecc.html

An Elliptic Curve Cryptography (ECC) PrimerAn Elliptic Curve Cryptography (ECC) Primer by certicom by certicom http://www.deviceforge.com/articles/AT4234154468.htmlhttp://www.deviceforge.com/articles/AT4234154468.html

Online Elliptic Curve Cryptography TutorialOnline Elliptic Curve Cryptography Tutorial by certicom by certicom http://www.certicom.com/index.php?action=ecc_tutorial,homehttp://www.certicom.com/index.php?action=ecc_tutorial,home

Performance ReferencesPerformance References

Bednara, M. et. al. “Tradeoff Analysis of Bednara, M. et. al. “Tradeoff Analysis of FPGA Based Elliptic Curve Cryptography.” FPGA Based Elliptic Curve Cryptography.” Circuits and SystemsCircuits and Systems, 29 May 2002., 29 May 2002.

Qizhi, Qui “Research on Elliptic Curve Qizhi, Qui “Research on Elliptic Curve Cryptography.” Cryptography.” Computer Supported Computer Supported Cooperative Work in DesignCooperative Work in Design. 26 May 2004. 26 May 2004

Application ReferencesApplication References

Implementing an efficient elliptic curve cryptosystem over GF(p) on Implementing an efficient elliptic curve cryptosystem over GF(p) on a smart card, Yvonne Hitchcock, Edward Dawson, Andrew Clark, a smart card, Yvonne Hitchcock, Edward Dawson, Andrew Clark, Paul Montague, October 2002.Paul Montague, October 2002.

THE ELLIPTIC CURVE CRYPTOSYSTEM FOR SMART CARDS, THE ELLIPTIC CURVE CRYPTOSYSTEM FOR SMART CARDS, A A Certicom White Paper, Published: May 1998Certicom White Paper, Published: May 1998