Elliptic Curve Cryptography

Cryptography

The fundamental objective of cryptography

is to enable two people, usually referred to as
Alice and Bob, to communicate over an
insecure channel in such a way that an
opponent, Oscar, cannot understand what is
being said.

Elliptic Curve Crypto (ECC)

Elliptic curve is not a cryptosystem
Elliptic curves are a different way to do
the math in public key system
Elliptic curve versions of DH, RSA, etc.

Elliptic curves may be more efficient

Fewer bits needed for same security
But the operations are more complex

What is an Elliptic Curve?

An elliptic curve E is the graph of
an equation of the form
y2 = x3 + ax + b
Also includes a point at infinity

What do elliptic curves look like?

See the following!

Elliptic Curves
Elliptic curves as algebraic/geometric
entities have been studied extensively
for the past 150 years, and from these
studies has emerged a rich and deep
theory. Elliptic curve systems as applied
to cryptography were first proposed in
1985 independently by Neal Koblitz
from the University of Washington, and
Victor Miller, who was then at IBM,
Yorktown Heights.

 Many cryptosystems often require the use of

algebraic groups. Elliptic curves may be used
to form elliptic curve groups. A group is a set
of elements with custom-defined arithmetic
operations on those elements. For elliptic curve
groups, these specific operations are defined
geometrically. Introducing more stringent
properties to the elements of a group, such as
limiting the number of points on such a curve,
creates an underlying field for an elliptic curve
group. Elliptic curves are first examined over
real numbers in order to illustrate the
geometrical properties of elliptic curve groups.
Thereafter, elliptic curves groups are examined
with the underlying fields of Fp (where p is a
prime) and F2m (a binary representation with
2m elements).

Elliptic Curve Groups over Real

Numbers
An elliptic curve over real numbers may be defined as the
set of points (x,y) which satisfy an elliptic curve equation of
the form:
y2 = x3 + ax + b, where x, y, a and b are real numbers.
Each choice of the numbers a and b yields a different elliptic
curve. For example, a = -4 and b = 0.67 gives the elliptic
curve with equation y2 = x3 - 4x + 0.67; the graph of this
curve is shown below:
If x3 + ax + b contains no repeated factors, or equivalently if
4a3 + 27b2 is not 0, then the elliptic curve y2 = x3 + ax + b

can be used to form a group. An elliptic curve group over

real numbers consists of the points on the corresponding
elliptic curve, together with a special point O called the
point at infinity.

 P + Q = R is the additive property defined geometrically.

Elliptic Curve Addition: A

Geometric Approach
Elliptic curve groups are additive groups;
that is, their basic function is addition. The
addition of two points in an elliptic curve is
defined geometrically.

The negative of a point P = (xP,yP) is its

reflection in the x-axis: the point -P is
(xP,-yP). Notice that for each point P on an
elliptic curve, the point -P is also on the curve.

Adding distinct points P and Q

Suppose that P and Q are two distinct
points on an elliptic curve, and the P is
not -Q. To add the points P and Q, a line
is drawn through the two points. This
line will intersect the elliptic curve in
exactly one more point, call -R. The
point -R is reflected in the x-axis to the
point R. The law for addition in an
elliptic curve group is P + Q = R. For
example:

Adding the points P and -P

The line through P and -P is a vertical
line which does not intersect the elliptic
curve at a third point; thus the points P
and -P cannot be added as previously. It
is for this reason that the elliptic curve
group includes the point at infinity O.
By definition, P + (-P) = O. As a result
of this equation, P + O = P in the elliptic
curve group . O is called the additive
identity of the elliptic curve group; all
elliptic curves have an additive identity.

Doubling the point P

To add a point P to itself, a tangent line
to the curve is drawn at the point P. If yP
is not O, then the tangent line intersects
the elliptic curve at exactly one other
point, -R. -R is reflected in the x-axis to
R. This operation is called doubling the
point P; the law for doubling a point on
an elliptic curve group is defined by:
P + P = 2P = R.

 The tangent from P is always vertical if yP = 0.

Doubling the point P if yP = 0

If a point P is such that yP = 0, then the tangent
line to the elliptic curve at P is vertical and
does not intersect the elliptic curve at any other
point.

By definition, 2P = O for such a point P.

If one wanted to find 3P in this situation, one
can add 2P + P. This becomes P + O = P Thus
3P = P.
3P = P, 4P = O, 5P = P, 6P = O, 7P = P, etc.

Elliptic Curve Addition: An

Algebraic Approach
Although the previous geometric
descriptions of elliptic curves
provides an excellent method of
illustrating elliptic curve arithmetic,
it is not a practical way to
implement arithmetic computations.
Algebraic formulae are constructed
to efficiently compute the geometric
arithmetic.

Adding distinct points P and Q

When P = (xP, yP) and Q = (xQ, yQ) are not
negative of each other,
P + Q = R where
s = (yP - yQ) / (xP - xQ)
xR = s2 - xP - xQ and yR = -yP + s(xP - xR)
Note that s is the slope of the line through P
and Q.

Doubling the point P

When yP is not 0,
2P = R where
s = (3xP2 + a) / (2yP )
xR = s2 - 2xP and yR = -yP + s(xP - xR)
Recall that a is one of the parameters
chosen with the elliptic curve and that s
is the tangent on the point P.

Elliptic Curve Picture

Consider elliptic curve

E: y2 = x3 - x + 1
P1

P2
x
P3

If P1 and P2 are on E, we can

define
P3 = P 1 + P 2
as shown in picture
Addition is all we need

Points on Elliptic Curve

Consider y2 = x3 + 2x + 3 (mod 5)
x = 0 y2 = 3 no solution (mod 5)
x
x
x
x

=
=
=
=

1
2
3
4

y2
y2
y2
y2

=
=
=
=

6 = 1 y = 1,4 (mod 5)
15 = 0 y = 0 (mod 5)
36 = 1 y = 1,4 (mod 5)
75 = 0 y = 0 (mod 5)

Then points on the elliptic curve are

(1,1) (1,4) (2,0) (3,1) (3,4) (4,0)
and the point at infinity:

Elliptic Curve Math

Addition on: y2 = x3 + ax + b (mod p)
P1=(x1,y1), P2=(x2,y2)
P1 + P2 = P3 = (x3,y3) where
x3 = m2 - x1 - x2 (mod p)
y3 = m(x1 - x3) - y1 (mod p)
And
m = (y2-y1)(x2-x1)-1 mod p, if P1P2
m = (3x12+a)(2y1)-1 mod p, if P1 = P2
Special cases:
If m is infinite, P3 = , and
+ P = P for all P

Elliptic Curve Addition

Consider y2 = x3 + 2x + 3 (mod 5). Points
on the curve are (1,1) (1,4) (2,0) (3,1)
(3,4) (4,0) and
What is (1,4) + (3,1) = P3 = (x3,y3)?
m = (1-4)(3-1)-1 = -32-1
= 2(3) = 6 = 1 (mod 5)
x3 = 1 - 1 - 3 = 2 (mod 5)
y3 = 1(1-2) - 4 = 0 (mod 5)
On this curve, (1,4) + (3,1) = (2,0)

ECC Diffie-Hellman
Public: Elliptic curve and point (x, y) on curve
Secret: Alices A and Bobs B
A(x,y)
B(x,y)
Alice, A
Alice computes A(B(x,y))
Bob computes B(A(x,y))
These are the same since AB = BA

Bob, B

Elliptic Curve Deffie-Hellmen

(ECDH)

Consistency: K=nAQB=nAnBP=nBQA
ECDH is vulnerable to the man-in-the-middle attack

ECC Diffie-Hellman
Public: Curve y2 = x3 + 7x + b (mod 37) and
point (2,5) b = 3
Alices secret: A = 4
Bobs secret: B = 7
Alice sends Bob: 4(2,5) = (7,32)
Bob sends Alice: 7(2,5) = (18,35)
Alice computes: 4(18,35) = (22,1)
Bob computes: 7(7,32) = (22,1)

Elliptic Curve Groups over Fp

Calculations over the real numbers are slow and inaccurate
due to round-off error.
Cryptographic applications require fast and precise
arithmetic; thus elliptic curve groups over the finite fields of Fp
and F2m are used in practice.
Recall that the field Fp uses the numbers from 0 to p - 1, and
computations end by taking the remainder on division by p. For
example, in F23 the field is composed of integers from 0 to 22,
and any operation within this field will result in an integer also
between 0 and 22.
An elliptic curve with the underlying field of Fp can formed by
choosing the variables a and b within the field of Fp. The
elliptic curve includes all points (x, y) which satisfy the elliptic
curve equation modulo p (where x and y are numbers in Fp).

 For example: y2 mod p = x3 + ax + b mod p has

an underlying field of Fp if a and b are in Fp.
If x3 + ax + b contains no repeating factors (or,
equivalently, if 4a3 + 27b2 mod p is not 0), then
the elliptic curve can be used to form a group.
An elliptic curve group over Fp consists of the
points on the corresponding elliptic curve,
together with a special point O called the point
at infinity. There are finitely many points on
such an elliptic curve.

Example of an Elliptic Curve Group over Fp

As a very small example, consider an elliptic curve over the
field F23. With a = 1 and b = 0, the elliptic curve equation is
y2 = x3 + x. The point (9,5) satisfies this equation since:
y2 mod p = x3 + x mod p
25 mod 23 = 729 + 9 mod 23
25 mod 23 = 738 mod 23
2=2

The 23 points which satisfy this equation are:

(0,0) (1,5) (1,18) (9,5) (9,18) (11,10) (11,13) (13,5)
(13,18) (15,3) (15,20) (16,8) (16,15) (17,10) (17,13) (18,10)
(18,13) (19,1) (19,22) (20,4) (20,19) (21,6) (21,17)
These points may be graphed as below:

 Note that there is two points for every x value.

Even though the graph seems random, there is still
symmetry about y = 11.5. Recall that elliptic
curves over real numbers, there exists a negative
point for each point which is reflected through the
x-axis. Over the field of F23, the negative
components in the y-values are taken modulo 23,
resulting in a positive number as a difference from
23. Here -P = (xP, (-yP mod 23))

Note that these rules are exactly the same as those

for elliptic curve groups over real numbers, with
the exception that computations are performed
modulo p.

Arithmetic in an Elliptic Curve Group over Fp

There are several major differences between elliptic
curve groups over Fp and over real numbers.
Elliptic curve groups over Fp have a finite number of
points, which is a desirable property for cryptographic
purposes. Since these curves consist of a few discrete
points, it is not clear how to "connect the dots" to
make their graph look like a curve. It is not clear how
geometric relationships can be applied. As a result,
the geometry used in elliptic curve groups over real
numbers cannot be used for elliptic curve groups over
Fp. However, the algebraic rules for the arithmetic can
be adapted for elliptic curves over Fp. Unlike elliptic
curves over real numbers, computations over the field
of Fp involve no round off error - an essential property
required for a cryptosystem.

Adding distinct points P and Q

The negative of the point P = (xP, yP) is the point -P = (xP, -yP
mod p). If P and Q are distinct points such that P is not -Q, then
P + Q = R where
s = (yP - yQ) / (xP - xQ) mod p
xR = s2 - xP - xQ mod p and yR = -yP + s(xP - xR) mod p
Note that s is the slope of the line through P and Q.

Doubling the point P

Provided that yP is not 0,

2P = R where
s = (3xP2 + a) / (2yP ) mod p
xR = s2 - 2xP mod p and yR = -yP + s(xP - xR)
mod p

Recall that a is one of the parameters chosen

with the elliptic curve and that s is the slope of
the line through P and Q.

Elliptic Curve Groups over F2m

Elements of the field F2m are m-bit strings. The rules for
arithmetic in F2m can be defined by either polynomial
representation or by optimal normal basis representation.
Since F2m operates on bit strings, computers can perform
arithmetic in this field very efficiently.

An elliptic curve with the underlying field F2m is formed by

choosing the elements a and b within F2m (the only condition
is that b is not 0). As a result of the field F2m having a
characteristic 2, the elliptic curve equation is slightly
adjusted
for
binary
representation:
y2 + xy = x3 + ax2 + b
The elliptic curve includes all points (x, y) which satisfy the
elliptic curve equation over F2m (where x and y are elements of
F2m ). An elliptic curve group over F2m consists of the points on
the corresponding elliptic curve, together with a point at
infinity, O. There are finitely many points on such an elliptic
curve.

An Example of an Elliptic Curve Group

over F2m

As a very small example, consider the field F24, defined by using polynomial
representation with the irreducible polynomial f(x) = x4 + x + 1.
The element g = (0010) is a generator for the field . The powers of g are:
g0 = (0001) g1 = (0010) g2 = (0100) g3 = (1000) g4 = (0011) g5 = (0110)
g6 = (1100) g7 = (1011) g8 = (0101) g9 = (1010) g10 = (0111) g11 = (1110)
g12 = (1111) g13 = (1101) g14 = (1001) g15 = (0001)
In a true cryptographic application, the parameter m must be large enough to preclude the
efficient generation of such a table otherwise the cryptosystem can be broken. In today's
practice, m = 160 is a suitable choice. The table allows the use of generator notation (ge)
rather than bit string notation, as used in the following example. Also, using generator
notation allows multiplication without reference to the irreducible polynomial
f(x) = x4 + x + 1.

 Consider the elliptic curve y2 + xy = x3 + g4x2 + 1. Here a =

g4 and b = g0 =1. The point (g5, g3) satisfies this equation
over F2m :
y2 + xy = x3 + g4x2 + 1
(g3)2 + g5g3 = (g5)3 + g4g10 + 1
g6 + g8 = g15 + g14 + 1

(1100) + (0101) = (0001) + (1001) + (0001)

(1001) = (1001)
The fifteen points which satisfy this equation are:
(1, g13) (g3, g13) (g5, g11) (g6, g14) (g9, g13) (g10, g8) (g12, g12)
(1, g6) (g3, g8) (g5, g3) (g6, g8) (g9, g10) (g10, g) (g12, 0) (0, 1)

These points are graphed below:

Arithmetic in an Elliptic Curve

Group over F2m
Elliptic curve groups over F2m have a
finite number of points, and their
arithmetic involves no round off error.
This combined with the binary nature of
the field, F2m arithmetic can be performed
very efficiently by a computer.
The following algebraic rules are applied
for arithmetic over F2m :

Adding distinct points P and Q

The negative of the point P = (xP, yP) is the point -P =
(xP, xP + yP). If P and Q are distinct points such that P
is not -Q, then
P + Q = R where
s = (yP - yQ) / (xP + xQ)

xR = s2 + s + xP + xQ + a and yR = s(xP + xR) + xR +

yP
As with elliptic curve groups over real numbers, P + (-P)
= O, the point at infinity. Furthermore, P + O = P for all
points P in the elliptic curve group.

Doubling the point P

If xP = 0, then 2P = O

Provided that xP is not 0,

2P = R where

s = xP + yP / xP
xR = s2+ s + a and yR = xP2 + (s + 1) * xR

Recall that a is one of the parameters chosen

with the elliptic curve and that s is the slope
of the line through P and Q

Elliptic Curve groups and the

Discrete Logarithm Problem
At the foundation of every cryptosystem is a hard
mathematical problem that is computationally infeasible
to solve. The discrete logarithm problem is the basis for
the security of many cryptosystems including the Elliptic
Curve Cryptosystem. More specifically, the ECC relies
upon the difficulty of the Elliptic Curve Discrete
Logarithm Problem (ECDLP).

Recall that we examined two geometrically defined

operations over certain elliptic curve groups. These two
operations were point addition and point doubling. By
selecting a point in a elliptic curve group, one can
double it to obtain the point 2P. After that, one can add
the point P to the point 2P to obtain the point 3P. The
determination of a point nP in this manner is referred to
as Scalar Multiplication of a point. The ECDLP is based
upon the intractability of scalar multiplication products.

Scalar Multiplication
The following animation demonstrates scalar
multiplication through the combination of point
doubling and point addition.
While it is customary to use additive notation to
describe an elliptic curve group (as has been
done previously in this classroom), some insight
is provided by using multiplicative notation.
Specifically, consider the operation called "scalar
multiplication" under additive notation: that is,
computing kP by adding together k copies of the
point P. Using multiplicative notation, this
operation consists of multiplying together k
copies of the point P, yielding the point
P*P*P*P**P = Pk.

The Elliptic Curve Discrete Logarithm

Problem

In the multiplicative group Zp*, the discrete logarithm problem is:

given elements r and q of the group, and a prime p, find a number k
such that r = qk mod p. If the elliptic curve groups is described using
multiplicative notation, then the elliptic curve discrete logarithm
problem is: given points P and Q in the group, find a number that Pk =
Q; k is called the discrete logarithm of Q to the base P. When the
elliptic curve group is described using additive notation, the elliptic
curve discrete logarithm problem is: given points P and Q in the
group, find a number k such that Pk = Q

Example:
In the elliptic curve group defined by
y2 = x3 + 9x + 17 over F23,

What is the discrete logarithm k of Q = (4,5) to the base P = (16,5)?

 One (nave) way to find k is to compute

multiples of P until Q is found. The first few
multiples
of
P
are:
P = (16,5) 2P = (20,20) 3P = (14,14) 4P =
(19,20) 5P = (13,10) 6P = (7,3) 7P = (8,7) 8P =
(12,17)
9P
=
(4,5)
Since 9P = (4,5) = Q, the discrete logarithm of
Q to the base P is k = 9.
In a real application, k would be large enough
such that it would be infeasible to determine k
in this manner.

An Example of the Elliptic Curve

Discrete Logarithm Problem

What is the discrete

logarithm of Q(-0.35,2.39)
to the base P(-1.65,-2.79) in
the elliptic curve group y2 =
x3 - 5x + 4 over real
numbers?

Diffie-Hellman

Diffie-Hellman
Invented by Williamson (GCHQ) and,
independently, by D and H (Stanford)
A key exchange algorithm
Used to establish a shared symmetric key

Not for encrypting or signing

Security rests on difficulty of discrete log
problem: given g, p, and gk mod p find k

Diffie-Hellman
Let p be prime, let g be a generator
For any x {1,2,,p-1} there is n s.t. x = gn mod p

Alice selects secret value a

Bob selects secret value b
Alice sends ga mod p to Bob
Bob sends gb mod p to Alice
Both compute shared secret gab mod p
Shared secret can be used as symmetric key

Diffie-Hellman
Suppose that Bob and Alice use gab mod p
as a symmetric key
Trudy can see ga mod p and gb mod p
Note ga gb mod p = ga+b mod p gab
mod p
If Trudy can find a or b, system is broken
If Trudy can solve discrete log problem,
then she can find a or b

Diffie-Hellman
Public: g and p
Secret: Alices exponent a, Bobs exponent b
ga mod p
gb mod p

Alice, a

Bob, b

Alice computes (gb)a = gba = gab mod p

Bob computes (ga)b = gab mod p
Could use K = gab mod p as symmetric key

Diffie-Hellman
Subject to man-in-the-middle (MiM) attack

Alice, a

ga mod p

gt mod p

gt mod p

gb mod p
Trudy, t

Trudy shares secret gat mod p with Alice

Trudy shares secret gbt mod p with Bob
Alice and Bob dont know Trudy exists!

Bob, b

Diffie-Hellman
How to prevent MiM attack?

Encrypt DH exchange with symmetric key

Encrypt DH exchange with public key
Sign DH values with private key
Other?

You MUST be aware of MiM attack on

Diffie-Hellman

Public-key encryption

Key generation algorithm: randomized algorithm that outputs

(pk, sk)
Encryption algorithm:
Takes a public key and a message (plaintext), and outputs a
ciphertext; c Epk(m)
Decryption algorithm:
Takes a private key and a ciphertext, and outputs a message
(or perhaps an error); m = Dsk(c)
Correctness: for all (pk, sk), Dsk(Epk(m)) = m

El Gamal encryption

Receiver

p, g

Sender

p, g, hA = gx
hA = gx mod p
c = (KBA . m) mod p
hB, c
hB = gy mod p
KAB = (hB)x

KBA = (hA)y

ElGamal Digital Signature

Alice signs a message M to Bob by computing
the hash m = H(M), 0 <= m <= (q-1)
chose random integer K with 1 <= K <= (q-1)
and gcd(K,q-1)=1
k
compute temporary key: S1 = a mod q
compute K-1 the inverse of K mod (q-1)
compute the value: S2 = K-1(m-xAS1) mod (q-1)
signature is:(S1,S2)
any user B can verify the signature by computing
m
V1 = a mod q
V2 = yAS1 S1S2 mod q
signature is valid if V1 = V2

 use field GF(19) q=19 and a=10

Alice computes her key:
16
A chooses xA=16 & computes yA=10 mod 19 = 4
Alice signs message with hash m=14 as (3,4):
choosing random K=5 which has gcd(18,5)=1
5
computing S1 = 10 mod 19 = 3
finding K-1 mod (q-1) = 5-1 mod 18 = 11
computing S2 = 11(14-16.3) mod 18 = 4
any user B can verify the signature by computing
14
V1 = 10 mod 19 = 16
V2 = 43.34 = 5184 = 16 mod 19
since 16 = 16 signature is valid

Elliptic Curve Digital Signature Algorithm

(ECDSA)

RSA background
N=pq, p and q distinct, odd primes
(N) = (p-1)(q-1)
Easy to compute (N) given the factorization of N
Hard to compute (N) without the factorization of N
Fact: for all x ZN*, it holds that x(N) = 1 mod N
If ed=1 mod (N), then for all x it holds that
(xe)d = x mod N
i.e., this is a way to compute eth roots

RSA key generation

Generate random p, q of sufficient length
Compute N=pq and (N) = (p-1)(q-1)
Compute e and d such that ed = 1 mod (N)
e must be relatively prime to (N)
Public key = (N, e); private key = (N, d)
To encrypt a message m ZN*, compute
c = me mod N
To decrypt a ciphertext c, compute m = cd mod N

Hardness of computing eth roots?

The RSA problem:
Given N, e, and c, compute c1/e mod N
If factoring is easy, then the RSA problem is
easy
We know of no other way to solve the RSA
problem besides factoring N
But we do not know how to prove that the
RSA problem is as hard as factoring
The upshot: we believe factoring is hard, and
we believe the RSA problem is hard