1. Elliptic Curve
Cryptography

2. Introduction
• ECC was introduced by Victor Miller and Neal Koblitz in 1985.
• For DSA, RSA we need larger key length.
• ECC requires significantly smaller key size with same level of
security.
• Benefits of having smaller key sizes : faster computations, need
less storage space.
• ECC ideal for constrained environments : Pagers ; PDAs ;
Cellular Phones ; Smart Cards
2

3. Group
A group is an algebric system consisting of a set G together with a binary
operation * defined on G satisfying the following axioms :
1. Closure : for all x,y in G we have x * y ∈ G
2. Associativity : for all x,y and z in G we have (x
* y) * z = x * (y * z)
3. Identity : there exists an e in G such that x * e = e * x = x for all
x
4. Inverse : for all x in G there exists y in G such that x *
y = y * x = e
In addition if for x, y in G we have x * y = y * x then we say that group G is
abelian.
3

4. Finite Field
A finite field is an algebric system consisting of a set F together with a
binary operations + and * defined on F satisfying the following axioms :
1. F is an abelian group with respect to +.
2. F {0} is an abelian group with respect to *.
3. For all x, y and z in F we have
x * ( y + z) = (x * y) + (x * z)
(x + y) * z = (x * z) + (y * z)
The order of the finite field is the number of elements in the field.
4

5. Galois Fields
The polynomials
Zp[x] mod p(x)
where
p(x) ∈ Zp[x],
p(x) is irreducible,
and deg(p(x)) = n (i.e., n+1 coefficients)
form a finite field. Such a field has pn
elements.
These fields are called Galois Fields or GF(pn
).
The special case n = 1 reduces to the fields Zp
The multiplicative group of GF(pn
)/{0} is cyclic .

6. Galois Field GF(p)
It is a finite field and it consists of a set of integers {0,1,2,3….p-1} where p
is a prime number. Additionally it satisfies the following arithmetic
operations :
1. Addition : if a, b ∈ GF(p), then a + b = r where r is the
remainder of the division of a + b by p and 0<= r <= p-1. This
operation is called addition modulo p.
2. Multiplication : if a, b ∈ GF(p), then a . b = s where s is the
remainder of the division of a . b by p and 0<= s <= p-1. This
operation is called multiplication modulo p.
6

7. Galois Field GF(2m
)
It is a finite field and is called binary finite field. It is a vector space
of dimension m over GF(2) i.e. there exists a set of m elements {αm-
1, …,α1, α0} each αi ∈ {0,1} in GF(2m
) such that each a ∈ GF(2m
)
a = αm-1xm-1
+ … + α1x + α0
Additionally it satisfies the following arithmetic operations :
a = {am-1,..a1,a0} and b = {bm-1,..b1,b0} ∈ GF(2m
)
• Addition : a + b = c = {cm-1,..c1,c0} where ci = (ai + bi) mod 2. c
∈ GF(2m
)
• Multiplication : a . b = c = {cm-1,..c1,c0} where c is the
remiander of the division of the polynomial a(x) . b(x) by an
irreducible polynomial of degree m. c ∈ GF(2m
)
7

8. Definition of Elliptic curves
An elliptic curve over a field K is a nonsingular
cubic curve in two variables, f(x,y) =0 with a
rational point (which may be a point at infinity).
The field K is usually taken to be the complex
numbers, reals, rationals, algebraic extensions of
rationals, p-adic numbers, or a finite field.
Elliptic curves groups for cryptography are
examined with the underlying fields of Fp (where
p>3 is a prime) and F2
m
(a binary representation
with 2m
elements).

9. General form of a EC
An elliptic curve is a plane curve defined by an
equation of the form
baxxy ++= 32
Examples

10. Let GF(p) be a finite field, p > 3, and let a, b ∈ GF(p) are
constant such that
4a3
+ 27b2
≡ 0 (mod p).
An elliptic curve, E(a,b)
(GF(p)), is defined as the set of points
(x,y) ∈ GF(p) * GF(p) which satisfy the equation
y2
≡ x3
+ ax + b (mod p)
together with a special point, O, called the point at infinity.
Elliptic Curve over GF(p)
10

11. P and Q be two points on E(a,b)
(GF(p)) and O is the point at infinity.
• P+O = O+P = P
• If P = (x1
,y1
) then -P = (x1
,-y1
)
and P + (-P) = O.
• If P = (x1
,y1
) and Q = (x2
,y2
), and P and Q are not O.
then P +Q = (x3
,y3
) where
x3
= λ2
- x1
- x2
y3
= λ(x1
- x2
) - y1
and λ = (y2
-y1
)/(x2
-x1
) if P ≠ Q
Elliptic Curve over GF(p)
11

12. Task 1 - Multiplication c = a.b in GF11
 Compile a multiplication table for c = a . b mod 11
 Determine the solutions of the equation x2
= 5 mod 11
 You have about 10 minutes for this task

13. Solution 1 : Multiplication c = a.b in
GF11
 x2
= 5 mod 11 ?
 x1 = 4, x2 = 7

14. Task 2 : Iterate a Point on the
Elliptic Curve
 Iterate the point P(2,4) lying on y2
= x3
+ x + 6 mod 11:
 Compute P2 = P  P by doubling the point P
 Compute P3 = P  P  P = P2  P by point addition
 All operations are computed in GF11

15. • Elliptic curve E(a,b)
(GF(2m
)) is defined to be
the set of points (x,y) ∈ GF(2m
) * GF(2m
) which satisfy the
equation
y2
+ xy = x3
+ ax2
+ b;
where a, b ∈ GF(2m
) and b≠0,
together with the point on the curve at infinity, O.
• The points on an elliptic curve form an abelian group under a
well defined group operation.
The identity of the group operation is the point O.
Elliptic Curve over GF(2m
) for some m ≥ 1.
15

16. Elliptic Curve over GF(2m
) for some m ≥ 1.
P and Q be two points on E(a,b)
(GF(2m
)) and O is the point at infinity.
• P+O = O+P = P
• If P = (x1
,y1
) then -P = (x1
,-y1
)
and P + (-P) = O.
• If P = (x1
,y1
) and Q = (x2
,y2
), and P and Q are not O, then P +Q =
(x3
,y3
):
if P ≠ Q
x3
= λ2
+ λ + x1
+ x2
+ a
y3
= λ(x1
+ x3
) + x3
+ y1
and
λ = (y1
+y2
)/(x1
+x2
)
if P = Q
x3
= λ2
+ λ + a
y3
= x1
2
+ (λ + 1)x 1
16

17. What Is Elliptic Curve
Cryptography (ECC)?
Elliptic curve cryptography [ECC] is a public-key
cryptosystem just like RSA, Rabin, and El Gamal.
Every user has a public and a private key.
 Public key is used for encryption/signature verification.
 Private key is used for decryption/signature generation.
Elliptic curves are used as an extension to other
current cryptosystems.
 Elliptic Curve Diffie-Hellman Key Exchange
 Elliptic Curve Digital Signature Algorithm

18. Using Elliptic Curves In Cryptography
The central part of any cryptosystem involving
elliptic curves is the elliptic group.
All public-key cryptosystems have some
underlying mathematical operation.
RSA has exponentiation (raising the message or
ciphertext to the public or private values)
ECC has point multiplication (repeated addition of two
points).

19. Elliptic Curve Discrete Logarithm
Problem (ECDLP)
 Given an elliptic curve
y2 = x3 + ax + b mod p and
a basis point P,
we can compute Q = Pk through k-1
iterative point additions.
 Fast algorithms for this task exist.
 Question: Is it possible to compute k
when the point Q is known?
 Answer: This is a hard problem known as
the Elliptic Curve Discrete Logarithm.

20. ECC Domain Parameters
ECC domain parameters over GF(q), are a six tuple:
T = (q, a, b, G, n, h)
• q = p or q = 2m
• a and b ∈ GF(q)
y2
≡ x3
+ ax + b (mod p) for q = p > 3
y2
+ xy = x3
+ ax2
+ b for q = 2m
≥ 1
• a base point G = (xG
,yG
) on E(a,b)(
GF(q)),
• a number n which is the order of G
(The order of a point P on an elliptic curve is the smallest
positive integer n such that nP = O.)
• h = #E/n. where #E represents number of points on elliptic
curve and is called the curve order.
20

21. Key Generation
 Agree on the following (public):
 Curve parameters (a, b)
 The modulus p
 Base point G (on the curve)
 Pick a random integer n as private key
 Calculate public key P = n*G
21

22. Diffie-Hellman (DH) Key Exchange

23. ECC Diffie-Hellman
Public: Elliptic curve and point G=(x,y) on curve
Secret: Alice’s a and Bob’s b
Alice, A Bob, B
a(x,y)
b(x,y)
• Alice computes a(b(x,y))
• Bob computes b(a(x,y))
• These are the same since ab = ba

24. Example – Elliptic Curve
Diffie-Hellman Exchange
 Alice and Bob want to agree on a shared key.
 Alice and Bob compute their public and private keys.
 Alice
 Private Key = nA
 Public Key = PA = nA* G
 Bob
 Private Key = nB
 Public Key = PB = nB * G
 Alice and Bob send each other their public keys.
 Both take the product of their private key and the other user’s
public key.
 Alice  KAB = PB*nA = (nB * G)*nA
 Bob  KAB = PA* nB = (nA* G)*nB
 Shared Secret Key = KAB = nA *nB * G

25. Encryption/Decryption
 Alice represents her text or data to send as a point Pm
 Alice sends Bob a pair of points:
Cm= {k*G, Pm + k*PB}
where k = randomly chosen integer
 Bob decrypts the message using his private key:
Pm + k*P – nB (k*G) = Pm + k(nB *G) - nB (k*G) = Pm
25

26. Example – Elliptic Curve Cryptosystem
Analog to El Gamal
Suppose Alice wants to send to Bob an encrypted
message.
 Both agree on a base point, G.
 Alice and Bob create public/private keys.
 Alice
 Private Key = a
 Public Key = PA = a* G
 Bob
 Private Key = b
 Public Key = PB = b * G
 Alice takes plaintext message, M, and encodes it onto a
point, PM, from the elliptic group

27. Example – Elliptic Curve Cryptosystem
Analog to El Gamal
Alice chooses another random integer, k from
the interval [1, p-1]
The ciphertext is a pair of points
 CM = [ (kG), (PM + kPB) ]
To decrypt, Bob computes the product of the first
point from PC and his private key, b
 b * (kG)
Bob then takes this product and subtracts it from
the second point from PC
 (PM + kPB) – [b(kG)] = PM + k(bG) – b(kG) = PM
Bob then decodes PM to get the message, M.

28. Example – Compare to El Gamal
The ciphertext is a pair of points
 CM = [ (kG), (PM + kPB) ]
The ciphertext in El Gamal is also a pair.
 C = (gk
mod p, mPB
k
mod p)
------------------------------------------------------------------
-Bob then takes this product and subtracts it
from the second point from PC
 (PM + kPB) – [b(kG)] = PM + k(bG) – b(kG) = PM
In El Gamal, Bob takes the quotient of the
second value and the first value raised to Bob’s
private value
 m = mPB
k
/ (gk
)b
= mgk*b
/ gk*b
= m

29. Why use ECC?
How do we analyze Cryptosystems?
 How difficult is the underlying problem that it is based upon
 RSA – Integer Factorization
 DH – Discrete Logarithms
 ECC - Elliptic Curve Discrete Logarithm problem
 How do we measure difficulty?
 We examine the algorithms used to solve these problems

30. Security of ECC
 The difficult mathematical problem is called the
 elliptic curve discrete logarithm problem
 That is, given P and G, (and P= n*G), find n
 not susceptible to common attacks
 Runs in exponential time
 RSA runs in sub-exponential time

31. Applications of ECC
Many devices are small and have limited
storage and computational power
Where can we apply ECC?
 Wireless communication devices
 Smart cards
 Web servers that need to handle many encryption
sessions
 Any application where security is needed but
lacks the power, storage and computational
power that is necessary for our current
cryptosystems

32. Benefits of ECC
Same benefits of the other cryptosystems:
confidentiality, integrity, authentication and non-
repudiation but…
Shorter key lengths
 Encryption, Decryption and Signature Verification speed
up
 Storage and bandwidth savings

33. Summary of ECC
“Hard problem” analogous to discrete log
 Q=kP, where Q,P belong to a prime curve
given k,P  “easy” to compute Q
given Q,P  “hard” to find k
 known as the elliptic curve logarithm problem
 k must be large enough
ECC security relies on elliptic curve logarithm
problem
 compared to factoring, can use much smaller key sizes
than with RSA etc
 for similar security ECC offers significant
computational advantages