ecc intro oct 2011

Elliptic Curve Cryptography - An Introduction

Marisa Paryasto3320700227 October 2011

1Friday, October 28, 2011

What is Elliptic Curve Cryptography?

‣ Originally proposed by Victor Miller and Neal Koblitz independently from one another in 1985

‣ ECC proposed an alterna@ve to other public-‐key encryp@on algorithms, such as RSA


Elliptic Curve

Called “ellip@c” because of its rela@onship with ellip@c integrals, which are natural expressions for the arc length of an ellipse

y2 = x3 + ax + b

Ellip@c curve is not an ellipse!


y2 = x3 - x


y2 = x3


y2 = x3 - 4/3x + 16/27


y2 = x3 - 1/2x + 1/2


Elliptic Curve Cryptography

‣ Point mul@plica@on Q = kP

‣ Repeated point addi@on and doubling:9P = 2(2(2P)) + P

‣ Public key opera@on: Q(x,y) = kP(x,y) Q = public key P = base point (curve parameter) k = private key n = order of P

‣ Ellip@c curve discrete logarithm Given public key kP, find private key k


Elliptic Curve Addition

P+Q

P

Q


Multiplying 3P in Elliptic Curve (1)

P+P = 2P

P


Multiplying 3P in Elliptic Curve (2)

3P P

P+P = 2P

Notes: 3P = 2P + P -> draw a line that crosses point 2P and P


Encryption Process

!"#$$%&

'%($)!

*+,-,.,/,/&,01*22,0&

21,/,3**&4******&&

!"#$%&'(&

*+&,-,.,/,/&,01*22,0&

21,/,3**&4******5&

*+&,6,1,7,3&212.,6,1&

,.,7,3,1&2127,.,2

89:

)$*+$%&'*', (-.+/-!0$%&+

12"&$!"$3#&$0%+

0%+32,4'

*+&2/-;#.,6&.<-467<2&

7-21##6*&6*7<-;665&

*+&-7327-16&<3*;))37&

-7;3-73*&1;1;7-71

(5.+/5

30%4',6$0%+

&0+

%21)',

'1)'7+

&0+

32,4'

'%3,/!&'7+

7#&#+

8!0$%&9


Decryption Process

!"#$$%&

'%($)!

*+,-,.,/,/&,01*22,0&

21,/,3**&4******&&

!"#$%&'(&

*+&,-,.,/,/&,01*22,0&

21,/,3**&4******5&

*+&,6,1,7,3&212.,6,1&

,.,7,3,1&2127,.,2

)&8&9

)$*+$%&'*',(-.+/-!0$%&+

12"&$!"$3#&$0%+

0%+32,4'

5'3,/!&$0%+

!,03'66*+&2/-:#.,6&.;-467;2&

7-21##6*&6*7;-:665&

*+&-7327-16&;3*:))37&

-7:3-73*&1:1:7-71

7+8+9(:.+/:;


Elliptic Curve y2 = x3 + x + 6 is defined over Z11

0

1

2

3

4

5

6

7

8

9

10

0 2 4 6 8 10 12

Z11


An elliptic curve E: y2 = x3 + x + 6 is defined over Z11


Calculating Quadratic Residue


Points on Curve


‣ There are 12 points lying on the ellip@c curve. Together with the point O at infinity, the points on the ellip@c curve form a group with n = 13 elements.

‣ n is called the order of the ellip@c curve group and depends on the choice of the curve parameters a and b.


Point Addition

m =y2 − y1x2 − x1

=9− 4

5− 2=

5

3= 5 · 4 = 20 = 9

x3 = m2 − x1 − x2 = (9)2 − 2− 5 = 81− 7 = 74 = 8

y3 = m(x1 − x3)− y1 = 9(2− 8)− 4 = 9(−6)− 4 = −54− 4 = −58 = 8

P3 = (x3, y3) = (8, 8)

P1 = (2, 4) P2 = (5, 9)

P1 + P2 = P3 = (x3, y3)


Point Doubling

‣ Iterate the point (7, 2) lying on y_2 = x_3 + x + 6 mod 11

‣ Compute P2 = P * P by doubling the point P

m =dy

dx=

x12 + b

2y1=

3(7)2 + 1

2(2)=

147 + 1

4=

148

4= 148 · 3 = 53̇ = 15 = 4

x2 = m2 − 2x1 = (4)2 − 2(7) = 16− 14 = 2

y2 = m(x1 − x2)− y1 = 4(7− 2)− 2 = 4(5)− 2 = 20− 2 = 18 = 7

P 2 = P ∗ P = (x2, y2) = (2, 7)


More point doubling

Compute P3 = P2 * P

P 2 = (2, 7)

P = (7, 2)

m =y2 − y1x2 − x1

=2− 7

7− 2=

−5

5=

6

5= 6 · 9 = 54 = 10

x3 = m2 − x1 − x2 = (10)2 − 2− 7 = 100− 9 = 91 = 3

y3 = m(x1 − x3)− y1 = 10(2− 3)− 7 = 10(−1)− 7 = −10− 7 = −17 = 5

P 2 = P ∗ P = (x3, y3) = (3, 5)


Representing plaintext

‣ Let

‣ Message m (representated as a number) will be embedded in the x-coordinate of a point

‣ Adjoin a few bits at the end of m and adjust until we get a number x such that x3 + bx + c is square mod p

E : y2 ≡ x3 + bx+ c(mod p)


Representing plaintext (example)

‣ Let p = 179 and

‣ If failure rate of then we may take K = 10

‣ We need , we need

‣ Suppose our message is m = 5. We consider x of the form

‣ The possible choices for x are 50, 51, .., 59. For x = 51 we get

‣ Thus, we represent the message m = 5 by the point (insert encryption process)

‣ The message m can be recovered by

E : y2 = x3 + 2x+ 7

1

210

m.K +K < 179 0 ≤ m ≤ 16

m.K + j = 50 + j

x3 + 2x+ 7 ≡ 121(mod 179) 112 = 121(mod 179)

Pm = (51, 11)

m =�5110

�= 5


Basic ElGamal

ElGamal Encryption

INPUT: Elliptic curve domain parameters ,public key , plaintext

OUTPUT: Ciphertext

1.Represent the message as a point in

2.Select3.Compute4.Compute5.Return

(p,E, P, n)

Q m

(C1, C2)

m

M E(Fp)

k ∈R [1, n− 1]

C1 = kP

C2 = M + kQ

(C1, C2)

ElGamal Decryption

INPUT: Domain parameters, private key , ciphertext

OUTPUT: Plaintext

1. Compute , and extract from

2. Return( )

(p,E, P, n)(C1, C2)d

m

m

M = C2 − dC1

m M


poly_prime = 80000000 3 NUMBITS = 63NUMWORD = 1setting up curve

the curve after setting up: form: 1a2: 0 2 a6: 0 1

counter = 0inc = 1Base pointx: 2e7cf965 63323eab y: 730a0498 5b456f7d

create side 2's private key

Side 2 secret:10fc68f8 254d4d11

Generate side 2's public key

Side 2 public keyx: 47a20fe7 9afa870f y: 3c871ef9 9f291729 data = 0 123

Hide data on curve and send from side 1 to side 2

curve before send_elgamal: form: 1a2: 0 2 a6: 0 1

Their_public before send_elgamal: x: 47a20fe7 9afa870f y: 3c871ef9 9f291729

Time of execution: 0.013889 seconds=====IN send_elgamal=====data (in send_gamal function) : 0 123 Base pointx: 2e7cf965 63323eab y: 730a0498 5b456f7d Base curveform: 1a2: 0 2 a6: 0 1

random value: 52d518f2 9979dd24 Random point C1x: 5458cfc 12efc03c y: 52d6eb3 a6af454b counter = 0inc = 0raw point M (after poly_embed)x: 0 123 y: 628f64a8 105671e3 Their_public: x: 47a20fe7 9afa870f y: 3c871ef9 9f291729 hidden point (after poly_elptic_mul)x: 3e2ca01d e1b52870 y: 523fa9bd ab463883 Hidden data (C2): x: 23f5fe99 de42125d y: 68420248 dfab3f44 Random point (C1): x: 5458cfc 12efc03c y: 52d6eb3 a6af454b =====OUT send_elgamal


AFTER send_elgamalcurve after send_elgamal: form: 1a2: 0 2 a6: 0 1

Hidden data (C2)x: 23f5fe99 de42125d y: 68420248 dfab3f44 Random point (C1)x: 5458cfc 12efc03c y: 52d6eb3 a6af454b

Recover transmitted message

IN receive_elgamalBase curve in receive_elgamalform: 1a2: 0 2 a6: 0 1

Hidden_data (in receive_elgamal) : x: 23f5fe99 de42125d y: 68420248 dfab3f44 Random pointx: 5458cfc 12efc03c y: 52d6eb3 a6af454b hidden_point (d*C1): x: 3e2ca01d e1b52870 y: 523fa9bd ab463883 &raw_point:

x: 0 123 y: 628f64a8 105671e3 raw_point.x 0 123 &raw_data (point): x: bffff5ac bffff5e8 y: 8fe018b1 0 raw_data (point): x: 0 123 y: 0 123 &raw_data (field): bffff5ac bffff5e8 raw_data (field): 0 123 =====OUT receive elgamal

sent data 0 123 received data (field) 0 123


ecc intro oct 2011

Education