2. Introduction
• ECC was introduced by Victor Miller and Neal Koblitz in 1985.
• For DSA, RSA we need larger key length.
• ECC requires significantly smaller key size with same level of
security.
• Benefits of having smaller key sizes : faster computations, need
less storage space.
• ECC ideal for constrained environments : Pagers ; PDAs ;
Cellular Phones ; Smart Cards
2
3. Group
A group is an algebric system consisting of a set G together with a binary
operation * defined on G satisfying the following axioms :
1. Closure : for all x,y in G we have x * y ∈ G
2. Associativity : for all x,y and z in G we have (x
* y) * z = x * (y * z)
3. Identity : there exists an e in G such that x * e = e * x = x for all
x
4. Inverse : for all x in G there exists y in G such that x *
y = y * x = e
In addition if for x, y in G we have x * y = y * x then we say that group G is
abelian.
3
4. Finite Field
A finite field is an algebric system consisting of a set F together with a
binary operations + and * defined on F satisfying the following axioms :
1. F is an abelian group with respect to +.
2. F {0} is an abelian group with respect to *.
3. For all x, y and z in F we have
x * ( y + z) = (x * y) + (x * z)
(x + y) * z = (x * z) + (y * z)
The order of the finite field is the number of elements in the field.
4
5. Galois Fields
The polynomials
Zp[x] mod p(x)
where
p(x) ∈ Zp[x],
p(x) is irreducible,
and deg(p(x)) = n (i.e., n+1 coefficients)
form a finite field. Such a field has pn
elements.
These fields are called Galois Fields or GF(pn
).
The special case n = 1 reduces to the fields Zp
The multiplicative group of GF(pn
)/{0} is cyclic .
6. Galois Field GF(p)
It is a finite field and it consists of a set of integers {0,1,2,3….p-1} where p
is a prime number. Additionally it satisfies the following arithmetic
operations :
1. Addition : if a, b ∈ GF(p), then a + b = r where r is the
remainder of the division of a + b by p and 0<= r <= p-1. This
operation is called addition modulo p.
2. Multiplication : if a, b ∈ GF(p), then a . b = s where s is the
remainder of the division of a . b by p and 0<= s <= p-1. This
operation is called multiplication modulo p.
6
7. Galois Field GF(2m
)
It is a finite field and is called binary finite field. It is a vector space
of dimension m over GF(2) i.e. there exists a set of m elements {αm-
1, …,α1, α0} each αi ∈ {0,1} in GF(2m
) such that each a ∈ GF(2m
)
a = αm-1xm-1
+ … + α1x + α0
Additionally it satisfies the following arithmetic operations :
a = {am-1,..a1,a0} and b = {bm-1,..b1,b0} ∈ GF(2m
)
• Addition : a + b = c = {cm-1,..c1,c0} where ci = (ai + bi) mod 2. c
∈ GF(2m
)
• Multiplication : a . b = c = {cm-1,..c1,c0} where c is the
remiander of the division of the polynomial a(x) . b(x) by an
irreducible polynomial of degree m. c ∈ GF(2m
)
7
8. Definition of Elliptic curves
An elliptic curve over a field K is a nonsingular
cubic curve in two variables, f(x,y) =0 with a
rational point (which may be a point at infinity).
The field K is usually taken to be the complex
numbers, reals, rationals, algebraic extensions of
rationals, p-adic numbers, or a finite field.
Elliptic curves groups for cryptography are
examined with the underlying fields of Fp (where
p>3 is a prime) and F2
m
(a binary representation
with 2m
elements).
9. General form of a EC
An elliptic curve is a plane curve defined by an
equation of the form
baxxy ++= 32
Examples
10. Let GF(p) be a finite field, p > 3, and let a, b ∈ GF(p) are
constant such that
4a3
+ 27b2
≡ 0 (mod p).
An elliptic curve, E(a,b)
(GF(p)), is defined as the set of points
(x,y) ∈ GF(p) * GF(p) which satisfy the equation
y2
≡ x3
+ ax + b (mod p)
together with a special point, O, called the point at infinity.
Elliptic Curve over GF(p)
10
11. P and Q be two points on E(a,b)
(GF(p)) and O is the point at infinity.
• P+O = O+P = P
• If P = (x1
,y1
) then -P = (x1
,-y1
)
and P + (-P) = O.
• If P = (x1
,y1
) and Q = (x2
,y2
), and P and Q are not O.
then P +Q = (x3
,y3
) where
x3
= λ2
- x1
- x2
y3
= λ(x1
- x2
) - y1
and λ = (y2
-y1
)/(x2
-x1
) if P ≠ Q
Elliptic Curve over GF(p)
11
12. Task 1 - Multiplication c = a.b in GF11
Compile a multiplication table for c = a . b mod 11
Determine the solutions of the equation x2
= 5 mod 11
You have about 10 minutes for this task
13. Solution 1 : Multiplication c = a.b in
GF11
x2
= 5 mod 11 ?
x1 = 4, x2 = 7
14. Task 2 : Iterate a Point on the
Elliptic Curve
Iterate the point P(2,4) lying on y2
= x3
+ x + 6 mod 11:
Compute P2 = P P by doubling the point P
Compute P3 = P P P = P2 P by point addition
All operations are computed in GF11
15. • Elliptic curve E(a,b)
(GF(2m
)) is defined to be
the set of points (x,y) ∈ GF(2m
) * GF(2m
) which satisfy the
equation
y2
+ xy = x3
+ ax2
+ b;
where a, b ∈ GF(2m
) and b≠0,
together with the point on the curve at infinity, O.
• The points on an elliptic curve form an abelian group under a
well defined group operation.
The identity of the group operation is the point O.
Elliptic Curve over GF(2m
) for some m ≥ 1.
15
16. Elliptic Curve over GF(2m
) for some m ≥ 1.
P and Q be two points on E(a,b)
(GF(2m
)) and O is the point at infinity.
• P+O = O+P = P
• If P = (x1
,y1
) then -P = (x1
,-y1
)
and P + (-P) = O.
• If P = (x1
,y1
) and Q = (x2
,y2
), and P and Q are not O, then P +Q =
(x3
,y3
):
if P ≠ Q
x3
= λ2
+ λ + x1
+ x2
+ a
y3
= λ(x1
+ x3
) + x3
+ y1
and
λ = (y1
+y2
)/(x1
+x2
)
if P = Q
x3
= λ2
+ λ + a
y3
= x1
2
+ (λ + 1)x 1
16
17. What Is Elliptic Curve
Cryptography (ECC)?
Elliptic curve cryptography [ECC] is a public-key
cryptosystem just like RSA, Rabin, and El Gamal.
Every user has a public and a private key.
Public key is used for encryption/signature verification.
Private key is used for decryption/signature generation.
Elliptic curves are used as an extension to other
current cryptosystems.
Elliptic Curve Diffie-Hellman Key Exchange
Elliptic Curve Digital Signature Algorithm
18. Using Elliptic Curves In Cryptography
The central part of any cryptosystem involving
elliptic curves is the elliptic group.
All public-key cryptosystems have some
underlying mathematical operation.
RSA has exponentiation (raising the message or
ciphertext to the public or private values)
ECC has point multiplication (repeated addition of two
points).
19. Elliptic Curve Discrete Logarithm
Problem (ECDLP)
Given an elliptic curve
y2 = x3 + ax + b mod p and
a basis point P,
we can compute Q = Pk through k-1
iterative point additions.
Fast algorithms for this task exist.
Question: Is it possible to compute k
when the point Q is known?
Answer: This is a hard problem known as
the Elliptic Curve Discrete Logarithm.
20. ECC Domain Parameters
ECC domain parameters over GF(q), are a six tuple:
T = (q, a, b, G, n, h)
• q = p or q = 2m
• a and b ∈ GF(q)
y2
≡ x3
+ ax + b (mod p) for q = p > 3
y2
+ xy = x3
+ ax2
+ b for q = 2m
≥ 1
• a base point G = (xG
,yG
) on E(a,b)(
GF(q)),
• a number n which is the order of G
(The order of a point P on an elliptic curve is the smallest
positive integer n such that nP = O.)
• h = #E/n. where #E represents number of points on elliptic
curve and is called the curve order.
20
21. Key Generation
Agree on the following (public):
Curve parameters (a, b)
The modulus p
Base point G (on the curve)
Pick a random integer n as private key
Calculate public key P = n*G
21
23. ECC Diffie-Hellman
Public: Elliptic curve and point G=(x,y) on curve
Secret: Alice’s a and Bob’s b
Alice, A Bob, B
a(x,y)
b(x,y)
• Alice computes a(b(x,y))
• Bob computes b(a(x,y))
• These are the same since ab = ba
24. Example – Elliptic Curve
Diffie-Hellman Exchange
Alice and Bob want to agree on a shared key.
Alice and Bob compute their public and private keys.
Alice
Private Key = nA
Public Key = PA = nA* G
Bob
Private Key = nB
Public Key = PB = nB * G
Alice and Bob send each other their public keys.
Both take the product of their private key and the other user’s
public key.
Alice KAB = PB*nA = (nB * G)*nA
Bob KAB = PA* nB = (nA* G)*nB
Shared Secret Key = KAB = nA *nB * G
25. Encryption/Decryption
Alice represents her text or data to send as a point Pm
Alice sends Bob a pair of points:
Cm= {k*G, Pm + k*PB}
where k = randomly chosen integer
Bob decrypts the message using his private key:
Pm + k*P – nB (k*G) = Pm + k(nB *G) - nB (k*G) = Pm
25
26. Example – Elliptic Curve Cryptosystem
Analog to El Gamal
Suppose Alice wants to send to Bob an encrypted
message.
Both agree on a base point, G.
Alice and Bob create public/private keys.
Alice
Private Key = a
Public Key = PA = a* G
Bob
Private Key = b
Public Key = PB = b * G
Alice takes plaintext message, M, and encodes it onto a
point, PM, from the elliptic group
27. Example – Elliptic Curve Cryptosystem
Analog to El Gamal
Alice chooses another random integer, k from
the interval [1, p-1]
The ciphertext is a pair of points
CM = [ (kG), (PM + kPB) ]
To decrypt, Bob computes the product of the first
point from PC and his private key, b
b * (kG)
Bob then takes this product and subtracts it from
the second point from PC
(PM + kPB) – [b(kG)] = PM + k(bG) – b(kG) = PM
Bob then decodes PM to get the message, M.
28. Example – Compare to El Gamal
The ciphertext is a pair of points
CM = [ (kG), (PM + kPB) ]
The ciphertext in El Gamal is also a pair.
C = (gk
mod p, mPB
k
mod p)
------------------------------------------------------------------
-Bob then takes this product and subtracts it
from the second point from PC
(PM + kPB) – [b(kG)] = PM + k(bG) – b(kG) = PM
In El Gamal, Bob takes the quotient of the
second value and the first value raised to Bob’s
private value
m = mPB
k
/ (gk
)b
= mgk*b
/ gk*b
= m
29. Why use ECC?
How do we analyze Cryptosystems?
How difficult is the underlying problem that it is based upon
RSA – Integer Factorization
DH – Discrete Logarithms
ECC - Elliptic Curve Discrete Logarithm problem
How do we measure difficulty?
We examine the algorithms used to solve these problems
30. Security of ECC
The difficult mathematical problem is called the
elliptic curve discrete logarithm problem
That is, given P and G, (and P= n*G), find n
not susceptible to common attacks
Runs in exponential time
RSA runs in sub-exponential time
31. Applications of ECC
Many devices are small and have limited
storage and computational power
Where can we apply ECC?
Wireless communication devices
Smart cards
Web servers that need to handle many encryption
sessions
Any application where security is needed but
lacks the power, storage and computational
power that is necessary for our current
cryptosystems
32. Benefits of ECC
Same benefits of the other cryptosystems:
confidentiality, integrity, authentication and non-
repudiation but…
Shorter key lengths
Encryption, Decryption and Signature Verification speed
up
Storage and bandwidth savings
33. Summary of ECC
“Hard problem” analogous to discrete log
Q=kP, where Q,P belong to a prime curve
given k,P “easy” to compute Q
given Q,P “hard” to find k
known as the elliptic curve logarithm problem
k must be large enough
ECC security relies on elliptic curve logarithm
problem
compared to factoring, can use much smaller key sizes
than with RSA etc
for similar security ECC offers significant
computational advantages