Professional Documents
Culture Documents
Cryptography
Elliptic Curves
Elliptic curves as algebraic/geometric
entities have been studied extensively
for the past 150 years, and from these
studies has emerged a rich and deep
theory. Elliptic curve systems as applied
to cryptography were first proposed in
1985 independently by Neal Koblitz
from the University of Washington, and
Victor Miller, who was then at IBM,
Yorktown Heights.
E: y2 = x3 - x + 1
P1
P2
x
P3
=
=
=
=
1
2
3
4
y2
y2
y2
y2
=
=
=
=
6 = 1 y = 1,4 (mod 5)
15 = 0 y = 0 (mod 5)
36 = 1 y = 1,4 (mod 5)
75 = 0 y = 0 (mod 5)
ECC Diffie-Hellman
Public: Elliptic curve and point (x, y) on curve
Secret: Alices A and Bobs B
A(x,y)
B(x,y)
Alice, A
Alice computes A(B(x,y))
Bob computes B(A(x,y))
These are the same since AB = BA
Bob, B
Consistency: K=nAQB=nAnBP=nBQA
ECDH is vulnerable to the man-in-the-middle attack
ECC Diffie-Hellman
Public: Curve y2 = x3 + 7x + b (mod 37) and
point (2,5) b = 3
Alices secret: A = 4
Bobs secret: B = 7
Alice sends Bob: 4(2,5) = (7,32)
Bob sends Alice: 7(2,5) = (18,35)
Alice computes: 4(18,35) = (22,1)
Bob computes: 7(7,32) = (22,1)
2P = R where
s = (3xP2 + a) / (2yP ) mod p
xR = s2 - 2xP mod p and yR = -yP + s(xP - xR)
mod p
Elements of the field F2m are m-bit strings. The rules for
arithmetic in F2m can be defined by either polynomial
representation or by optimal normal basis representation.
Since F2m operates on bit strings, computers can perform
arithmetic in this field very efficiently.
As a very small example, consider the field F24, defined by using polynomial
representation with the irreducible polynomial f(x) = x4 + x + 1.
The element g = (0010) is a generator for the field . The powers of g are:
g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) g4 = (0011) g5 = (0110)
g6 = (1100) g7 = (1011) g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110)
g12 = (1111) g13 = (1101) g14 = (1001) g15 = (0001)
In a true cryptographic application, the parameter m must be large enough to preclude the
efficient generation of such a table otherwise the cryptosystem can be broken. In today's
practice, m = 160 is a suitable choice. The table allows the use of generator notation (ge)
rather than bit string notation, as used in the following example. Also, using generator
notation allows multiplication without reference to the irreducible polynomial
f(x) = x4 + x + 1.
s = xP + yP / xP
xR = s2+ s + a and yR = xP2 + (s + 1) * xR
Scalar Multiplication
The following animation demonstrates scalar
multiplication through the combination of point
doubling and point addition.
While it is customary to use additive notation to
describe an elliptic curve group (as has been
done previously in this classroom), some insight
is provided by using multiplicative notation.
Specifically, consider the operation called "scalar
multiplication" under additive notation: that is,
computing kP by adding together k copies of the
point P. Using multiplicative notation, this
operation consists of multiplying together k
copies of the point P, yielding the point
P*P*P*P**P = Pk.
Example:
In the elliptic curve group defined by
y2 = x3 + 9x + 17 over F23,
Diffie-Hellman
Diffie-Hellman
Invented by Williamson (GCHQ) and,
independently, by D and H (Stanford)
A key exchange algorithm
Used to establish a shared symmetric key
Diffie-Hellman
Let p be prime, let g be a generator
For any x {1,2,,p-1} there is n s.t. x = gn mod p
Diffie-Hellman
Suppose that Bob and Alice use gab mod p
as a symmetric key
Trudy can see ga mod p and gb mod p
Note ga gb mod p = ga+b mod p gab
mod p
If Trudy can find a or b, system is broken
If Trudy can solve discrete log problem,
then she can find a or b
Diffie-Hellman
Public: g and p
Secret: Alices exponent a, Bobs exponent b
ga mod p
gb mod p
Alice, a
Bob, b
Diffie-Hellman
Subject to man-in-the-middle (MiM) attack
Alice, a
ga mod p
gt mod p
gt mod p
gb mod p
Trudy, t
Bob, b
Diffie-Hellman
How to prevent MiM attack?
Public-key encryption
El Gamal encryption
Receiver
p, g
Sender
p, g, hA = gx
hA = gx mod p
c = (KBA . m) mod p
hB, c
hB = gy mod p
KAB = (hB)x
KBA = (hA)y
RSA background
N=pq, p and q distinct, odd primes
(N) = (p-1)(q-1)
Easy to compute (N) given the factorization of N
Hard to compute (N) without the factorization of N
Fact: for all x ZN*, it holds that x(N) = 1 mod N
If ed=1 mod (N), then for all x it holds that
(xe)d = x mod N
i.e., this is a way to compute eth roots