Elliptic Curve Cryptography
Jen-Chang Liu, 2004
Adapted from lecture slides by Lawrie BrownRef: RSA Security’s Official Guide to Cryptography
No Singhalese( 錫蘭人 ), whether man or woman, would venture out of the house without a bunch of keys in his hand, for without such a talisman( 護身符 ) he would fear that some devil might take advantage of his weak state to slip into his body.
—The Golden Bough, Sir James George Frazer
Review: Requirement for public-key cryptography
Diffie and Hellman (1976) proposed the public-key cryptography requirement: It is computationally easy to generate a pair of keys It is computationally easy for a sender to encrypt It is computationally easy for a receiver to decrypt It is computationally infeasible for an opponent,
knowing the public key, to determine the private key
It is computationally infeasible for an opponent, knowing the public key and ciphtertext, to recover the plaintext
bX = DKR (Y)
Y = EKU (X)b
=> Trap-door one-way function
Review: one-way function 1968, R. M. Needham’s system
1974, G. Purdy published the first detail description of such a one-way function
One-way function
Computation in Zp ,
59264 p
A’s passwordOne-way cipher
Encrypted password list
…
…A’s encrypted password
542
33
232
1172 2424
)( axaxaxaxaxxf
Hard to invert!
Review: (trapdoor) one-way function
domain targetY=f(X): easy
X=f -1 (Y): infeasible ( > polynomial time)
X=fK-1 (Y): easy if trap-door K is known
( ~ polynomial time)
The notion of “computationally infeasible” plays an important role
A enciphering transformation that can safely be regarded as a (trapdoor) one-way function in 1994 might lose its one-way or trapdoor status in 2004 or 2994
Elliptic Curve Cryptography (ECC)
majority of public-key crypto (RSA, D-H) use either integer or polynomial arithmetic with very large numbers/polynomials
imposes a significant load in storing and processing keys and messages
an alternative is to use elliptic curves offers same security with smaller bit
sizes
Outline
Operations over abelian groups ( 可換群 )
Elliptic curves over the reals Elliptic curves over the finite fields Elliptic curve cryptography
Abelian group
Group with communicative property Group: {G, •}
G: a set of elements •: binary operation to each pair (a,b) in G
obeys: closure: a•b is also in G associative law: (a•b)•c = a•(b•c) has identity e: e•a = a•e = a has inverses a-1: a•a-1 = e
Public ciphers based on an abelian group
Exponentiation (repeated multiplication) in RSA and D-H algorithm
Idea: Find another abelian group! In elliptic curves, we define the addition
operation such that it forms an abelian group
qaaaqak mod )( mod k timeshard problem
aaaak k times
Classes of elliptic curves used by cryptographers
Outline
Operations over abelian groups ( 可換群 )
Elliptic curves over the reals Elliptic curves over the finite fields Elliptic curve cryptography
Real Elliptic Curves Elliptic curves are not ellipses an elliptic curve is defined by an
equation in two variables x & y, with coefficients
consider a cubic elliptic curve of form y2 = x3 + ax + b where x, y, a, b are all real numbers also define O (point at infinity)
Real Elliptic Curve Example#1
Given x, there will be two solutions for y
Multiple roots of
x3+x+1=0
Real Elliptic Curve Example#2
Roots ofx3-x=0
Real Elliptic Curve Example#2: F(x,y)
Real Elliptic Curve Example#2: F(x,y)3-d 圖俯視
Addition over elliptic curve
Definition: Let E be an elliptic curve over the real numbers. P and Q be two points on E. We define the negative of P and the sum P+Q as:
1. If P is the point at infinity O, then –P=O and P+Q = Q.
[i.e. O servers as the identity (zero)]2. P = (x,y), then –P=(x,-y) [-P must lie on elliptic curve]
Addition over elliptic curve (cont.)
3. If P and Q have different x-coordinate, then
P+Q = …R
Why not P+Q=R?
1. P+Q = R => R-Q = P
2. However, by definition R+Q = P
3. R-Q = R+Q ?
PQl
Addition over elliptic curve (cont.)
4. If Q=-P, then P+Q = O5. If P=Q, then P+Q = …
P
Q
P
2P
Closure of addition operation
Why there is exactly one point where the line intersects with elliptic curve?
(P+Q 一定有定義 ?)Case 1: P=Q
PQl
(x1, y1)=(x2, y2)=
Line function: (x, x
(x3, x3
Solve
baxxy
xy32
Closure of addition operation (cont.)
Solve
baxxy
xy32
=> 0)( 23 baxxx
三個根: (x1, y1), (x2, y2), (x3, y3)
0))()(( 321 xxxxxx=>
0...)( 2321
3 xxxxx=>
=> 2321 xxx
=> 212
3 xxx
=>
)( 3112
1213
21
2
12
123
xxxx
yyyy
xxxx
yyx
Closure of addition operation (cont.)
Case 2: P=Q Slope of the tangent line: Solution of P+Q:
1
21
2
3
y
ax
)(2
3
22
3
311
21
13
1
2
1
21
3
xxy
axyy
xy
axx
Outline
Operations over abelian groups ( 可換群 )
Elliptic curves over the reals Elliptic curves over the finite fields
Over Zp
Over GF(2m) Elliptic curve cryptography
Finite Elliptic Curves
Elliptic curve cryptography uses curves whose variables & coefficients are discrete and finite
have two families commonly used: prime curves Ep(a,b) defined over Zp
use integers modulo a prime best in software
binary curves E2m(a,b) defined over GF(2m) use polynomials with binary coefficients best in hardware
Example: discrete EC over Zp
pxx
py
mod )1(
mod 3
2
Ex. (9, 7) is on EC
23 mod )199(
23 mod 73
2
EC over Zp
1. P+O = P2. If P=(xp, yp), then P+ (xp, -yp) = O
3. If P=(xp, yp), Q=(xq, yq), R=P+Q=(xR, yR) is pxxx QPR mod )( 2
pyxxy PRPR mod ))((
where
QPpy
ax
QPpxx
yy
P
P
PQ
PQ
if mod 2
3
if mod
2
EC over Zp (cont.)
4. Scalar multiplication is defined as repeated addition.Ex. 4P = P+P+P+P
Q: How many points are defined on EC (given prime modulo p)?
ppNpp 2121
When p is large, it approximates the size of Zp
Outline
Operations over abelian groups ( 可換群 )
Elliptic curves over the reals Elliptic curves over the finite fields Elliptic curve cryptography
Elliptic Curve Cryptography
ECC addition is analog of modulo multiply in RSA
ECC repeated addition is analog of modulo exponentiation
need “hard” problem equiv. to discrete log Q=kP, where Q,P belong to a prime curve is “easy” to compute Q given k and P but “hard” to find k given Q,P known as the elliptic curve logarithm
problem
EC discrete log problem
Certicom example: E23(9,17) EC: P=(16,5), Q=(4,5), determine k s.t. Q=kP Brute force method:
23 mod )179(23 mod 32 xxy
P=(16,5); 2P=(20,20); 3P=(14,14); 4P=(19,20)
5P=(13,10); 6P=(7,3); 7P=(8,7); 8P=(12,17); 9P=(4,5)
ECC Diffie-Hellman
can do key exchange analogous to D-H users select a suitable curve Ep(a,b) select base point G=(x1,y1) with large
order n s.t. nG=O A & B select private keys nA<n, nB<n
compute public keys: PA=nA×G, PB=nB×G
compute shared key: K=nA×PB, K=nB×PA
same since K=nA×nB×G
Protocol of D-H key exchange
Public: Ep(a,b)G=(x1,y1)nA<n
PA=nA×G nB<nPB=nB×G
K=nA×PB
K=nB×PA
PA
PB
The same secret key:K=nA×nB×G
ECC Encryption/Decryption several alternatives, will consider simplest must first encode any message M as a point
on the elliptic curve Pm
Problem: not all discrete points are defined in EC select suitable curve & point G as in D-H each user chooses private key nA<n
and computes public key PA=nA×G
to encrypt Pm : Cm={kG, Pm+kPA}, k random decrypt Cm compute:
Pm+kPA–nA(kG) = Pm+k(nAG)–nA(kG) = Pm
Example: ECC encryption
EC curve on Zp : y2 = x3 -x + 188 G = (0, 376), p = 751 A’s public key PA = (201, 5) Plaintext Pm=(562, 201) B selects random k=386, then encryt
Pm asCm={kG, Pm+kPA}= {386(0,376), (562, 201)+386(201, 5)}= {(676, 558), (385, 328)}
ECC Security compared to factoring, can use much
smaller key sizes than with RSA etc for equivalent key lengths
computations are roughly equivalent