1

Elliptic Curve Cryptography

2

Outline

• Introduction to elliptic curves

• Elliptic curve Diffie-Hellman key agreement

• Elliptic curve Digital Signature Algorithm

3

3

3

2

2 3

An is a curve given by

It is required that the discrimin

elliptic c

ant =4 27 0. When

0, the polynomial

urve

The equation of an elliptic curve

x ax

a b

y x ax b

has distinct roots,

and the curve is said to be nonsingular.

For reasons to be explained later, we introduce an

additional point, , call the point at infinityed , so the

elliptic curve

0

O

b

2 3

is the set

( , ) :E x y y x ax b O

4

2 3

2 3

2 3

We are often interested in points on the curve of specific

coordinates:

( ) ( , ) :

( ) ( , ) :

( ) ( , ) :

( ) ( , ) :

E Z x y Z Z y x ax b O

E Q x y Q Q y x ax b O

E R x y R R y x ax b O

E C x y C C

2 3 y x ax b O

5

2 3:

Example:

4E y x x

6

Amazing fact: we can use geometry to make the points

of an elliptic curve into a group.

Suppose . Then def

ine .

Making an elliptic curve into a group

P Q P Q R

P

Q

R

-R=R’

7

Suppose .

Then define

2 .

P Q

P Q P R

P=Q

R=2P

-R

8

What if ( , ), ( , ), so that is vertical?

In this case, we define .

This is why we added the extra point into the eu e

rv .

P x y Q x y PQ

P Q O

O

�������������� �

P=(x,y)

-P=(x,-y)Q=(x,-y)

9

Now having defined for , , we still need

to define .

Let play the role

of identity, and define

.

Now every point ( , ) has an inverse: ( , ).

P Q P Q O

P O

O

P O O P P

P x y P x y

P=(x,y)

-P=(x,-y)

10

The addition law on has these properties:

1. for all .

2. ( ) for all .

3. ( ) ( ) for all , , .

4. for all , .

That

Theorem

i ( , ) forms,

. E

P O O P P P E

P P O P E

P Q R P Q R P Q R E

P Q Q P P Q E

E

All of these properties are trivial to check except the

associative law (3), which can be verified by a lengthy

c explic

s an a

it for

belian group

omputation using , or by using

mo

mul

re

as

v

.

ad

anced algebraic or analytic methods.

11

1 1 2

2 3

3 3

23 1

2

1 21 1

1

2

3 1 3

2

1

( , ), ( , ), . .

The curve : .

The line :

( , )

( )

, where

and

Formulas fo

.

r Addition on

E

y x ax b

y x

P x y Q x y P Q R P Q x y

x x x

y x x

E

PQ

y yy x

y

x x

�������������� �

P

Q

R

-R=R’

12

P=Q

R=2P

-R

3 3

23 1

1 1 1

21

1

3 1 3 1

If ( , ), with 0, and

2 , th en

( , )

2

3

(

2

)

P Q x y y

P Q P

x a

y

R x y

x x

y x x y

13

2 3

1 1 2 2

3 3

2 1

2 1

2 23 1 2

3 1 3 1

: 25

( , ) (0,0), ( , ) ( 5,0)

( , ), where

0 00

5 0

0 0 5 5

( ) 0 5 0 0 0

(5,0)

Example

E y x x

P x y Q x y

P Q x y

y y

x x

x x x

y x x y

P Q

14

2 3

1 1 2 2

221

1

22

2 1

2 1 2 1

: 25

( , ) ( 4,6), Then 2 ( , ), where

3 4 253 23

2 2 6 12

23 1681 2 2 4

12 144

1681 23 62279 ( ) 4 6

144 12 1728

Example (doubling)

E y x x

P x y P x y

x a

y

x x

y x x y

15

2 3:

If and are in a field and if and have coordinates

in , then and 2 as computed by the formulas also

have coordinates in

.

, or equal .

Thu

s

An important fact

E

a b K P Q

K P Q P

K

y x x b

O

a

, we can use the same addition laws to make the points

of an elliptic curve over a finite field into a group, even

though the addition laws will no longer have the geometric

interpretation

pF

s.

16

2 3

Let be a field, and suppose that an elliptic curve is given

by an equation of the form

: with , .

Let ( ) denote the set of points of with coordi

Theorem (Poincare, 19 ) 00

K E

E y x ax b a b K

E K E

nates in ,

plus ,

( ) ( , ) : , .

Then ( ) is a group.

K

O

E K x y E x y K O

E K

17

2 3

2 3

: with , .

Let ( ) denote the set of points of with coordinates in ,

plus ,

( ) is isomorphic

( ) ( , ) :

Amazing fa toct:

What does ( ) look like?

E y x ax b a b R

E C E C

O

E C x y C C y x ax O

E

b

C

E C

a torus.

18

19

2 3

3 2

2 3

2 323

Equation: over

where 3, , , 4 27 0 (mod ).

( , ) :

: over

Example:

Elliptic curves defined over

p

p

p p

p

y x ax b F

p a b F a b p

E x y F F y x ax b O

E y x x F

F

20

2 311

11

3

211

11

: 6 over

To find all points ( , ) of ,

for each , compute

6mod11 and

determine whether is a

quadratic residue.

If so, solve in .

# ( ) 13.

ExampleE y x x F

x y E

x F

z x x

z

y z F

E F

9,2410

79

8,398

9,247

86

9,245

84

6,533

7,452

81

60

res? quad63

yes

no

yes

yes

no

yes

no

yes

yes

no

no

yxxx

21

2 2

2211

1

There are 13 points in the group.

So, it is cyclic and any point other is a generator.

Let (2,7). We can compute 2 ( , ) as follows.

3 2 13 132 3 2 4 8 ( mod

2 2 7 14

Example (continued)

O

x y

x a

y

222 1

2 1 2 1

11)

2 8 2 2 5 ( mod11)

( ) 2 5 8 7 2 ( mod11)

2 (5,2)

x x

y x x y

22

3 3

2 1

2 1

2 23 1 2

3 1 3 1

Let 3 ( , ). Then,

2 7 2 ( mod11)

5 2

2 2 5 8 ( mod11)

( ) 2 8

Ex

2 7 3 ( mod11)

(2,7) 2 (5,2) 3 (8,3)

4 (10,2) 5 (

ample (continued

3,6) 6 (7,9)

7 (7,2) 8 (

)

x y

y y

x x

x x x

y x x y

3,5) 9 (10,9)

10 (8,8) 11 (5,9) 12 (2,4)

13 12 2 11 3 10 ?

23

The order of ( ) is denoted as # ( ).

Determining # ( ) is an important proble

Hasse's Theor

m,

called point counting.

e

1 2 # ( ) 1 2 .

There are polyno

m:

mial

Point Counting

p p

p

p

E F E F

E F

p p E F p p

time algorithms that

precisely determine # ( ).pE F

24

If ( , ) ( ), the the other point with the same

is ( , mod ) ( , ).

Since is odd, of the two values and , one is even

and the other odd.

Thus, a point

Point Compression

pP x y E F

x P x y p x p y

p y p y

( , ) can be represented as ( ,0) or ( ,1),

depending on whether is even or odd. This is called

point compression.

Given a compressed point ( , ), we can compute ( , ).

x y x x

y

x i x y

25

0 1 2 1 Let , , , , be a group of order .

DLP in : given an element , find the

unique exponent such that .

DLP in - reviewed

q

xq

g g g g g q

g y g

Z g y

g

x

26

Consider an elliptic curve group ( ).

Let ( ) be a point of large prime order .

0 , 1 , 2 , , ( 1) is a subgroup of ( ).

ECDLP : given

Elliptic Curve Discrete Logarithm Problem

p

p

p

E F

G E F q

G G G G q G E F

a point , find the unique multiplier

such that .q

Y G

x Z xG Y

27

Alice Bob

Alice Bob

Agreed key:

Alice Bob

Diffie-Hellman key agreement

Elliptic Curve Diffie-Hellman

a

b

g

g

ab

aG

g

Alice Bob

Agreed key:

bG

abG

28

Alice and Bob wish to agree on a key.

1. Alice and Bob agree on an elliptic curve ( )

and a point on the curve of large p

secret

rime order

Elliptic Curve Diffie-Hellman key agreement

pE F

G

R

R

.

2. Alice Bob: , where .

3. Alice Bob: , where b .

4. They agree on the key , which is a point on ( ).

They can now use ( ), the -coordinate of ,

as a secret

q

q

p

q

aG a Z

bG Z

ab E F

x abG x abG

G

key for, for example, a symmetric encryption

scheme.

29

*

*

choose primes , and let be of order .

randomly ch

1. Key genera

oose and compute mod ;

param

tion

eters: ( , , , ). ( )

Digital Signature Algorithm (DSA) (reviewed) -

p

xq

p q g Z q

x Z y g p

h p g q sk x

*

1

and ( ).

2. to sign a message ,

randomly choose ; compute ( mod )mod .

compute ( ( ) ) mod ; use a different if or 0.

S

( , , ) is the signed messag

ig

e.

3.

ning:

Veri

kq p q

pk y

m

k Z r g

s h m rx k k r s

m r s

q

1 2

*

1 11 2

accept ( , , ) iff , and

( ) mod mod

where ( ) mod and m

fication:

od .

q

e e

m r s r s Z

r g y p q

e h m s q e rs q

30

*

choose an elliptic curve, say ( ), and a point on

1. Key genera

the curve of large prime order ,

randomly choose and com

o

put

ti n

Elliptic Curve an IEEE and NIST standard DSA -

p

q

E F G

q

x Z

e ;

system parameters: ( , ( ), , );

let ( ) and ( ).

p

Y xG

h E F

sk x p Y

G q

k

31

*

1

2. to sign a message ,

randomly choose ; compute ( )mod ,

where ( ) -coordinate of .

compute ( ( ) ) mod ; use a different if or 0

Signi

.

(Note:

:

th

g

e

n

q

m

k Z r x kG q

x kG x kG

s h m rx k k r sq

*

1 2

1 11 2

Verificatio

here refers to the secret key)

( , , ) is the signed message.

3. accept ( , , ) iff , and

( ) mod

where ( ) mod

n:

and mod .

q

x

m r s

m r s r s Z

r x eG e Y q

e h m s q e rs q

32

• Roughly speaking, elliptic curve cryptosystems with a 160-bit

key offer about the same security as RSA and discrete

logarithm based systems with a 1024-bit key. As a result, the

length of the public key and private key is much shorter in

elliptic curve cryptosystems.

• Elliptic curve cryptosystems are faster than the RSA system

in signing and decryption, but slower in signature verification

and encryption.

• Reference: http://www.rsa.com/rsalabs/node.asp?id=2245

How do elliptic curve cryptosystemscompare with other cryptosystems?